US9489516B1 - Detection of malware using an instrumented virtual machine environment - Google Patents
Detection of malware using an instrumented virtual machine environment Download PDFInfo
- Publication number
- US9489516B1 US9489516B1 US14/331,113 US201414331113A US9489516B1 US 9489516 B1 US9489516 B1 US 9489516B1 US 201414331113 A US201414331113 A US 201414331113A US 9489516 B1 US9489516 B1 US 9489516B1
- Authority
- US
- United States
- Prior art keywords
- resource
- version
- virtual machine
- malware
- file
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active, expires
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/567—Computer malware detection or handling, e.g. anti-virus arrangements using dedicated hardware
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/03—Indexing scheme relating to G06F21/50, monitoring users, programs or devices to maintain the integrity of platforms
- G06F2221/033—Test or assess software
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F2221/00—Indexing scheme relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/21—Indexing scheme relating to G06F21/00 and subgroups addressing additional information or applications relating to security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F2221/2123—Dummy operation
Definitions
- a firewall generally protects networks from unauthorized access while permitting authorized communications to pass through the firewall.
- a firewall is typically a device or a set of devices, or software executed on a device, such as a computer, that provides a firewall function for network access.
- firewalls can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices).
- Firewalls can also be integrated into or executed as software on computer servers, gateways, network/routing devices (e.g., network routers), or data appliances (e.g., security appliances or other types of special purpose devices).
- Firewalls typically deny or permit network transmission based on a set of rules. These sets of rules are often referred to as policies. For example, a firewall can filter inbound traffic by applying a set of rules or policies. A firewall can also filter outbound traffic by applying a set of rules or policies. Firewalls can also be capable of performing basic routing functions.
- FIG. 1 is a functional diagram of an architecture for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- FIG. 2 illustrates a data appliance in accordance with some embodiments.
- FIG. 3 is a flow diagram of a process for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- FIG. 4 is another flow diagram of a process for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- FIG. 5 is another flow diagram of a process for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- the invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.
- these implementations, or any other form that the invention may take, may be referred to as techniques.
- the order of the steps of disclosed processes may be altered within the scope of the invention.
- a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
- the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
- a firewall generally protects networks from unauthorized access while permitting authorized communications to pass through the firewall.
- a firewall is typically a device, a set of devices, or software executed on a device that provides a firewall function for network access.
- a firewall can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices).
- a firewall can also be integrated into or executed as software applications on various types of devices or security devices, such as computer servers, gateways, network/routing devices (e.g., network routers), or data appliances (e.g., security appliances or other types of special purpose devices).
- Firewalls typically deny or permit network transmission based on a set of rules. These sets of rules are often referred to as policies (e.g., network policies or network security policies). For example, a firewall can filter inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from reaching protected devices. A firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify or log, and/or other actions can be specified in firewall rules or firewall policies, which can be triggered based on various criteria, such as described herein).
- policies e.g., network policies or network security policies.
- a firewall can filter inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from reaching protected devices.
- a firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify or log, and/or other actions can be specified in firewall rules or firewall policies, which can be triggered based on various criteria, such as described herein).
- Security devices can include various security functions (e.g., firewall, anti-malware, intrusion prevention/detection, proxy, and/or other security functions), networking functions (e.g., routing, Quality of Service (QoS), workload balancing of network related resources, and/or other networking functions), and/or other functions.
- security functions e.g., firewall, anti-malware, intrusion prevention/detection, proxy, and/or other security functions
- networking functions e.g., routing, Quality of Service (QoS), workload balancing of network related resources, and/or other networking functions
- routing functions can be based on source information (e.g., IP address and port), destination information (e.g., IP address and port), and protocol information.
- a basic packet filtering firewall filters network communication traffic by inspecting individual packets transmitted over a network (e.g., packet filtering firewalls or first generation firewalls, which are stateless packet filtering firewalls).
- packet filtering firewalls or first generation firewalls which are stateless packet filtering firewalls.
- Stateless packet filtering firewalls typically inspect the individual packets themselves and apply rules based on the inspected packets (e.g., using a combination of a packet's source and destination address information, protocol information, and a port number).
- Application firewalls can also perform application layer filtering (e.g., using application layer filtering firewalls or second generation firewalls, which work on the application level of the TCP/IP stack).
- Application layer filtering firewalls or application firewalls can generally identify certain applications and protocols (e.g., web browsing using HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols, such as Telnet, DHCP, TCP, UDP, and TFTP (GSS)).
- HTTP HyperText Transfer Protocol
- DNS Domain Name System
- FTP File Transfer Protocol
- Telnet Telnet
- DHCP Dynamic Hossion Control Protocol
- TCP Transmission Control Protocol
- UDP User Datagram Protocol
- GSS TFTP
- Stateful firewalls can also perform stateful-based packet inspection in which each packet is examined within the context of a series of packets associated with that network transmission's flow of packets/packet flow (e.g., stateful firewalls or third generation firewalls).
- This firewall technique is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet.
- the state of a connection can itself be one of the criteria that triggers a rule within a policy.
- Advanced or next generation firewalls can perform stateless and stateful packet filtering and application layer filtering as discussed above.
- Next generation firewalls can also perform additional firewall techniques. For example, certain newer firewalls sometimes referred to as advanced or next generation firewalls can also identify users and content. In particular, certain next generation firewalls are expanding the list of applications that these firewalls can automatically identify to thousands of applications. Examples of such next generation firewalls are commercially available from Palo Alto Networks, Inc. (e.g., Palo Alto Networks' PA Series firewalls).
- Palo Alto Networks' next generation firewalls enable enterprises to identify and control applications, users, and content—not just ports, IP addresses, and packets—using various identification technologies, such as the following: APP-ID for accurate application identification, User-ID for user identification (e.g., by user or user group), and Content-ID for real-time content scanning (e.g., controls web surfing and limits data and file transfers).
- APP-ID for accurate application identification
- User-ID for user identification (e.g., by user or user group)
- Content-ID for real-time content scanning (e.g., controls web surfing and limits data and file transfers).
- special purpose hardware for next generation firewalls implemented, for example, as dedicated appliances generally provide higher performance levels for application inspection than software executed on general purpose hardware (e.g., such as security appliances provided by Palo Alto Networks, Inc., which utilize dedicated, function specific processing that is tightly integrated with a single-pass software engine to maximize network throughput while minimizing latency).
- general purpose hardware e.g., such as security appliances provided by Palo Alto Networks, Inc., which utilize dedicated, function specific processing that is tightly integrated with a single-pass software engine to maximize network throughput while minimizing latency.
- malware which refers to malicious programs, such as programs attempting to perform malicious or undesired actions
- new exploits such as zero-day threats that have not previously been identified (e.g., targeted and unknown threats).
- a new zero-day threat and/or an Advanced Persistent Threat e.g., various techniques using malware to exploit vulnerabilities in systems and often using an external command and control for continuously monitoring and extracting data from a specific target, often using stealthy, persistent methods that can evade traditional security measures, such as signature-based malware detection measures) that has not previously been identified (e.g., for which no signature yet exists) can exploit new or unresolved vulnerabilities in an application or operation system.
- APT Advanced Persistent Threat
- malware samples e.g., malware samples
- a virtual environment e.g., an instrumented virtual environment, which is sometimes also referred to as using a sandbox analysis of malware samples, which can be unknown threats
- malware can be quickly and accurately identified, even if the malware sample has not been previously analyzed and detected.
- protections can be automatically generated using a cloud security service (e.g., implementing a dynamic security analysis of malware samples in a scalable cloud-based, virtual environment to directly observe the behavior of potentially malicious malware and exploits) to be delivered to subscribers of the cloud security service (e.g., within minutes or hours of detection).
- a cloud security service e.g., implementing a dynamic security analysis of malware samples in a scalable cloud-based, virtual environment to directly observe the behavior of potentially malicious malware and exploits
- a cloud security service e.g., implementing a dynamic security analysis of malware samples in a scalable cloud-based, virtual environment to directly observe the behavior of potentially malicious malware and exploits
- URLs Uniform Resource Locator addresses
- the cloud security service identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) by directly executing them in a scalable cloud-based, virtual sandbox environment (e.g., an instrumented virtual environment). Also, the cloud security service automatically creates and disseminates protections in near real-time to help security teams meet the challenge of advanced security threats.
- APTs Advanced Persistent Threats
- cloud security service extends the next-generation firewall platform that natively classifies all traffic across many different applications, and the cloud security service can apply a behavioral analysis regardless of ports or encryption, including full visibility into web traffic, email protocols (SMTP, IMAP, POP), FTP, SMB, and/or other protocols to facilitate detection and dissemination protections in near real-time to respond to such advanced security threats.
- email protocols SMTP, IMAP, POP
- FTP FTP
- SMB Simple Multimedia Access
- malware detection can be costly in terms of required computing resources (e.g., including processor and memory usage and computing time) used to perform dynamic security analysis using such an instrumented virtual environment.
- existing sandbox approaches to malware detection typically only install one version of software (e.g., applications or other software) per virtual machine instance, which can be inefficient and/or limit malware detection rates (e.g., as certain malware may only exploit vulnerabilities in certain versions of software).
- some other existing approaches execute multiple virtual machine instances with different software configurations (e.g., sequentially or simultaneously), but performing such approaches can be very resource consuming and/or time consuming.
- various techniques described herein can more efficiently perform detection of malware using an instrumented virtual machine environment (e.g., more efficiently using computing resources, including processor and memory usage and computing time, used to perform dynamic security analysis using such an instrumented virtual environment).
- these techniques described herein can also provide an enhanced detection rate of malware using an instrumented virtual machine environment that is performed more efficiently as further discussed below.
- detection of malware using an instrumented virtual machine environment includes instantiating a first virtual machine in the instrumented virtual machine environment, in which the first virtual machine is configured to support installation of two or more versions of a resource; installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource; and installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource.
- the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
- any items that are associated with a particular version of the resource can be renamed in order to conceal (e.g., hide) the presence of that version of the resource having been installed in the system environment.
- any file related items and/or registry key related items can be renamed and various additional techniques can be performed for handling any new process and/or service related items as further described below, such that the system environment can be returned to an appearance of a clean state as would be apparent to another version of the resource (e.g., as any items associated with the first version of the resource have been hidden from detection by the renaming of such items to different names/directories and/or renaming any such items to different registry key name/paths, and/or starting/stopping of any processes and/or services, such as further described below with respect to FIG. 3 ).
- the resource can include an executable application
- the malware sample can include a file in a format that is compatible with the executable application (e.g., the application can open the malware sample file).
- the instrumented virtual machine environment is monitored while executing each version of the resource with the malware sample opened using each version of the application for at least a predetermined period of time or until malicious behavior is detected (e.g., if there are four versions of the application, then a six minute period of time can be equally allocated among each of the four versions of the application, such that the malware sample is opened using each of the four versions of the malware sample and monitored for approximately one minute and thirty seconds).
- detection of malware using an instrumented virtual machine environment further includes storing a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource; and for each version of the resource to be executed, renaming one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name (e.g., the dummy file names that are needed for properly executing a selected version of the application can be renamed to expected file names so that the selected version of the application can execute properly).
- a predetermined file name e.g., the dummy file names that are needed for properly executing a selected version of the application can be renamed to expected file names so that the selected version of the application can execute properly.
- detection of malware using an instrumented virtual machine environment further includes preloading one or more system files (e.g., required libraries, such as dynamically loaded libraries (DLLs)) that are used by the first version of the resource and/or the second version of the resource into a new resource system file location directory; and overriding an installer for the resource to redirect the installer to the new resource system file location directory.
- system files e.g., required libraries, such as dynamically loaded libraries (DLLs)
- detection of malware using an instrumented virtual machine environment further includes receiving the malware sample at a cloud security service from a security device, in which the instrumented virtual environment is monitored during execution of each version of the resource with the malware sample opened using each version of the resource to determine whether the malware sample indicates potentially malicious behavior
- detection of malware using an instrumented virtual machine environment further includes capturing network traffic while monitoring the instrumented virtual machine environment.
- the instrumented virtual machine environment is configured to include at least one kernel hook and/or at least one user level hook.
- the instrumented virtual machine environment is configured to include at least one honey file.
- various techniques for detection of malware using an instrumented virtual machine environment are disclosed. For example, using such techniques can facilitate an efficient and enhanced detection of malware using an instrumented virtual machine environment.
- using such techniques can facilitate an efficient and enhanced detection of malware using an instrumented virtual machine environment.
- a security service e.g., a cloud security service
- such techniques can similarly be applied to various other security environments, including, for example, performed in part or completely using security devices such as appliances, gateways, servers, and/or other security platforms capable of implementing various virtual environment techniques disclosed herein.
- FIG. 1 is a functional diagram of an architecture for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- an environment can detect and prevent malware from causing harm (e.g., malicious software can include any executable program, such as active content, executable code, and scripts, that can interfere with operation of a computing device or computer network, attempt unauthorized access of data or components of a computing device, and/or perform various other malicious, unauthorized, and/or undesirable activities).
- a variety of attempts by a malicious individual to propagate malware e.g., malware 130
- system 120 are described, as are techniques for thwarting that propagation or execution of such malware in protected network computing environments, such as for protecting computing devices within an enterprise network 110 .
- client devices 104 , 106 , and 108 are a laptop computer, a desktop computer, and a tablet (respectively) present in an enterprise network 110 .
- Data appliance 102 is configured to enforce policies regarding communications between clients, such as clients 104 and 106 , and nodes outside of enterprise network 110 (e.g., reachable via external network 118 , such as the Internet). Examples of such policies include ones governing traffic shaping, quality of service, and routing of traffic. Other examples of policies include security policies such as ones requiring the scanning for threats in incoming (and/or outgoing) email attachments, website downloads, files exchanged through instant messaging programs, and/or other file transfers. In some embodiments, appliance 102 is also configured to enforce policies with respect to traffic that stays within enterprise network 110 .
- Appliance 102 can take a variety of forms.
- appliance 102 can be a dedicated device or set of devices.
- the functionality provided by appliance 102 can also be integrated into or executed as software on a general purpose computer, a computer server, a gateway, and/or a network/routing device.
- services provided by data appliance 102 are instead (or in addition) provided to client 104 by software executing on client 104 .
- appliance 102 Whenever appliance 102 is described as performing a task, a single component, a subset of components, or all components of appliance 102 may cooperate to perform the task. Similarly, whenever a component of appliance 102 is described as performing a task, a subcomponent may perform the task and/or the component may perform the task in conjunction with other components. In various embodiments, portions of appliance 102 are provided by one or more third parties. Depending on factors such as the amount of computing resources available to appliance 102 , various logical components and/or features of appliance 102 may be omitted and the techniques described herein adapted accordingly. Similarly, additional logical components/features can be added to system 102 as applicable.
- appliance 102 can be configured to work in cooperation with one or more virtual machine servers ( 112 , 124 ) to perform malware analysis/prevention, including various techniques for providing detection of malware using an instrumented virtual machine environment as disclosed herein.
- data appliance 102 can be configured to provide a copy of malware 130 (e.g., a malware sample, which can include potentially malicious content) to one or more of the virtual machine servers for real-time analysis.
- a cloud security service 122 can provide a list of signatures of known-malicious documents to appliance 102 as part of a subscription. Those signatures can be generated by service 122 in conjunction with the techniques described herein.
- cloud security service 122 can automatically generate a new signature for the newly identified malware and send the new signature to various subscribers (e.g., data appliance 102 and various other data appliances that receive subscription-based signature updates).
- a data appliance e.g., data appliance 102 or another data appliance
- cloud security service 122 can automatically generate a new signature for the newly identified malware and send the new signature to various subscribers (e.g., data appliance 102 and various other data appliances that receive subscription-based signature updates).
- a virtual machine server is a physical machine comprising commercially available server-class hardware (e.g., a multi-core processor such as a dual 6-core Intel® processor with Hyper-Threading, 4 or more Gigabytes of RAM such as a 128 GB RAM, a system disk such as a 120 GB SSD, and one or more Gigabit network interface adapters) that runs commercially available virtualization software, such as VMware ESXi, Citrix XenServer, or Microsoft Hyper-V (e.g., such a VM environment can emulate the Windows® XP operating system environment using the dual 6-core Intel® processor with Hyper-Threading and 512 MB of RAM, the Windows® 7 operating system environment using the dual 6-core Intel® processor with Hyper-Threading and 1 GB of RAM, and/or other operating system environments and/or using different hardware capacity/components).
- server-class hardware e.g., a multi-core processor such as a dual 6-core Intel® processor with Hyper-Threading, 4 or more Giga
- the virtual machine servers may be separate from, but in communication with, data appliance 102 , as shown in FIG. 1 .
- a virtual machine server may also perform some or all of the functions of data appliance 102 , and a separate data appliance 102 is omitted as applicable.
- a virtual machine server may be under the control of the same entity that administers data appliance 102 (e.g., virtual machine server 112 ); the virtual machine server may also be provided by a third party (e.g., virtual machine server 124 , which can be configured to provide services to appliance 102 via third party service 122 ).
- data appliance 102 is configured to use one or the other of virtual machine servers 112 and 124 for malware analysis.
- data appliance 102 is configured to use the services of both servers (and/or additional servers not shown).
- the cloud security service can be delivered either as a public cloud or as a private cloud (e.g., deployed locally on an enterprise network using a locally deployed data appliance or server).
- the virtual machine server 124 is configured to implement various emulation-based techniques for providing detection of malware using an instrumented virtual machine environment as described herein with respect to various embodiments (e.g., implemented using instrumented VM environments 126 and 128 , which can be executed by cloud security service 122 and/or malware analysis system 132 , such as described below with respect to FIGS. 3 and 4 , and with respect to various other embodiments disclosed herein).
- the virtual machine server 124 can provide an instrumented virtual machine environment capable of performing the various techniques as described herein.
- instrumented virtual machine (VM) environments 126 and 128 can include, for example, various user level hooks and/or kernel level hooks in the emulated execution environment to facilitate the monitoring of various program behaviors during execution in the virtual environment (e.g., instrumented VM environments, such as described above) and to log such monitored program behaviors for analysis based on the various techniques described herein with respect to various embodiments.
- multiple instances of a malware sample can be performed using multiple VM environments to perform various tests and/or execute using different execution environments (e.g., different versions of an operating system (OS) environment, different versions of an application, etc.).
- OS operating system
- FIG. 2 illustrates a data appliance in accordance with some embodiments.
- data appliance 102 e.g., a device that performs various security related functions, such as a security device, which can be in the form of, for example, a security appliance, security gateway, security server, and/or another form of a security device
- data appliance 102 includes a high performance multi-core CPU 202 and RAM 204 .
- Data appliance 102 also includes a storage 210 (such as one or more hard disks), which is used to store policy and other configuration information.
- Data appliance 102 can also include one or more optional hardware accelerators.
- data appliance 102 can include a cryptographic engine 206 configured to perform encryption and decryption operations, and one or more FPGAs 208 configured to perform matching, act as network processors, and/or perform other tasks.
- An instrumented virtual machine can be used to perform behavior profiling (e.g., in a VM sandbox environment) using various heuristic-based analysis techniques that can be performed in real-time during execution of the program in the instrumented virtual environment, such as during a file transfer (e.g., during an active file/attachment download) and/or on files previously collected (e.g., a collection of files submitted for batch analysis).
- a file transfer e.g., during an active file/attachment download
- files previously collected e.g., a collection of files submitted for batch analysis.
- documents, executables, and other forms of potentially malicious content are referred to herein as “malware samples” or just “samples.”
- the attachment may be an executable (e.g., having a file extension of, for example, .exe or .js or some other executable related file extension) and may also be a document (e.g., having a file extension of, for example, .doc or .pdf or some other document related file extension).
- the message is received by data appliance 102 , which determines whether a signature for the attachment is present on data appliance 102 .
- a signature if present, can indicate that the attachment is known to be safe, and can also indicate that the attachment is known to be malicious. If no signature for the attachment is found, data appliance 102 is configured to provide the attachment to a virtual machine server, such as virtual machine server 112 , for analysis.
- Virtual machine server 112 is configured to execute (e.g., or open, as applicable, using an appropriate application to open the file using an application that is compatible with opening that file format) the attachment in one or more virtual machines, such as virtual machines 114 and 116 (e.g., instantiated virtual machines in the instrumented virtual machine environment).
- the virtual machines may all execute the same operating system (e.g., Microsoft Windows) or may execute different operating systems or versions thereof (e.g., with VM 116 emulating an Android operating system or some other operating system).
- the VM(s) chosen to analyze the attachment are selected to match the operating system of the intended recipient of the attachment being analyzed (e.g., the operating system of client 104 ).
- Observed behaviors resulting from executing/opening the attachment e.g., to analyze various behaviors while executing/opening the attachment in the instrumented VM environment) are logged and analyzed for indications that the attachment is potentially malicious or malicious.
- instantiating multiple virtual machine instances for performing analysis of a given malware sample can be expensive from a computing resources perspective and can also be inefficient from a compute time perspective (e.g., due to the time required to launch an instance of a VM with desired resources, etc., and CPU and memory requirements for executing multiple such VMs on an appliance/server).
- a virtual machine is instantiated in the instrumented virtual machine environment (e.g., virtual machines 114 and/or 116 ), in which the virtual machine is configured to support installation of two or more versions of a resource (e.g., an executable application that can be used for opening the malware sample which can include a file in a format that is compatible with the executable application, such as two or more versions of Adobe Acrobat® for opening a malware sample that is a PDF file format (.pdf) or two or more versions of Microsoft Word® for opening a malware sample that is a Word document file format (.doc), etc.).
- a resource e.g., an executable application that can be used for opening the malware sample which can include a file in a format that is compatible with the executable application, such as two or more versions of Adobe Acrobat® for opening a malware sample that is a PDF file format (.pdf) or two or more versions of Microsoft Word® for opening a malware sample that is a Word document file format (.doc), etc.
- Such a virtual machine can then be used to install a first version of the resource and monitor the instrumented virtual machine environment while executing the first version of the resource with the malware sample opened using the first version of the resource.
- This virtual machine can then also be used to install a second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource.
- the instrumented virtual machine environment can be monitored while executing each version of the resource with the malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected (e.g., if there are four versions of the application, then a six minute period of time can be equally allocated among each of the four versions of the application, such that the malware sample is opened using each of the four versions of the malware sample and monitored for approximately 1 minute and 30 seconds).
- This approach allows for an efficient analysis of the malware sample using multiple different versions of the resource for opening the malware sample and monitoring behavior in the instrumented virtual environment without having to re-instantiate the virtual machine to install and execute such different versions of the resource (e.g., executable application versions).
- such VM-based analysis techniques are performed by the VM server (e.g., VM server 112 ). In other embodiments, such VM-based analysis techniques are performed at least in part by appliance 102 (e.g., or in some cases, such VM-based analysis techniques can be performed completely by the appliance 102 ).
- the malware analysis and enforcement functionality illustrated in FIG. 1 as being provided by data appliance 102 and VM server 112 is also referred to herein as being provided by malware analysis system 132 . As explained above, portions of malware analysis system 132 may be provided by multiple distinct devices, but may also be provided on a single platform, as applicable.
- appliance 102 can automatically block the file download based on the analysis result. Further, in some embodiments, a signature can be generated and distributed (e.g., to other data appliances) to automatically block future file transfer requests to download the file determined to be malicious.
- Malware often leverages exploits that are specific to a particular system configuration or set of system configurations. For example, malware 130 might be able to successfully compromise a computer system running a particular operating system version and/or a particular application version, such as Adobe Acrobat® Version 9.0 (e.g., running on client 104 ), but be unable to compromise a computer system running any versions of Adobe Acrobat® Version 10.0 (e.g., running on client 106 ). If the only virtual machine used to evaluate malware 130 is an instrumented virtual machine environment with Adobe Acrobat® Version 9.0 installed, then the malicious nature of malware 130 might not be discovered.
- Adobe Acrobat® Version 9.0 e.g., running on client 104
- Adobe Acrobat® Version 10.0 e.g., running on client 106
- malware 130 might be able to successfully compromise a system upon which a particular combination of software is installed (e.g., a specific version of Internet Explorer with a specific version of Java). If the only virtual machine image(s) used to evaluate malware 130 include only one but not both applications, or include different versions of those applications, then the malicious nature of malware 130 might not be discovered.
- a particular combination of software e.g., a specific version of Internet Explorer with a specific version of Java.
- Some computing environments are relatively homogenous. For example, every employee at a startup might be issued the same laptop, running the same operating system, and with the same base applications installed. More typically, however, a range of different platforms and configurations is supported (e.g., in an enterprise environment). Further, certain employees (e.g., in the Finance Department) may need access to additional software (e.g., Microsoft Access®) not included on the systems of other users. And, employees are often allowed to customize their systems, e.g., by adding or removing software.
- additional software e.g., Microsoft Access®
- malware 130 targets Microsoft Windows systems. Further suppose that the IT Department of Acme Company supports the following: Windows 7 operating system with either Internet Explorer 9 or 10, and any of Microsoft Office 2007 and 2010 installed. An Acme Company employee may thus potentially be opening malware 130 on any of four different officially supported Windows system and application version configurations.
- malware analysis system 132 can efficiently evaluate malware 130 using a single virtual machine instance that can then install and execute each of these four potential application version configurations and will be able to detect that malware 130 is malicious.
- this approach to providing dynamic security analysis using an instrumented virtual machine environment is efficiently performed in this case without having to re-instantiate the virtual machine instance by installing and executing each of these four different combinations of application versions in the single virtual machine instance for the Windows 7 operating system.
- FIG. 3 is a flow diagram of a process for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- process 300 is performed by malware analysis system 132 .
- the process begins at 302 when candidate malware (e.g., a malware sample) is received.
- candidate malware is received at 302 when an email (e.g., including an attachment) is received by data appliance 102 from system 120 .
- data appliance 102 can be configured to transmit the attachment to service 122 for analysis.
- the candidate malware is received by cloud security service 122 at 302 .
- instantiating a first virtual machine i.e., launching a single virtual machine instance for execution
- the first virtual machine is configured to support installation of two or more versions of a resource.
- the candidate malware can be executed in one of virtual machines 114 - 116 and any behaviors logged for analysis by system 132 .
- the candidate malware can be executed in one of virtual machines 126 - 128 and analyzed by cloud security service 122 .
- installing a first version of a resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource is performed.
- the candidate malware can be analyzed by opening the candidate malware using the first version of the resource and monitoring behaviors using the instrumented virtual machine environment (e.g., for a predetermined period of time and/or until malicious behavior/activity is detected).
- the first virtual machine instance can be configured to include a set of instructions (e.g., startup instructions, such as in an autoexec.bat file), such as a set of instructions to install the first version of the resource and to open the candidate malware using the first version of the resource.
- the first virtual machine instance can be configured to include a set of instructions (e.g., startup instructions, such as in an autoexec.bat file), such as a set of instructions to install the second version of the resource (e.g., after a predetermined period of time and/or based on other criteria) and to open the candidate malware using the second version of the resource.
- a set of instructions e.g., startup instructions, such as in an autoexec.bat file
- the candidate malware can also be analyzed by opening the candidate malware using the second version of the resource and monitoring behaviors using the instrumented virtual machine environment (e.g., for a predetermined period of time and/or until malicious behavior/activity is detected).
- the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
- the resource includes an executable application
- the malware sample includes a file in a format that is compatible with the executable application (e.g., the application can open the malware sample file).
- the instrumented virtual machine environment is monitored while executing each version of the application with the malware sample opened using each version of the application for at least a predetermined period of time or until malicious behavior is detected (e.g., and/or until some other criteria is satisfied).
- a six minute period of time can be equally allocated among each of the two versions of the application, such that the malware sample is opened using each of the two versions of the malware sample and monitored for approximately three minutes.
- the virtual machine instance can be configured to include a set of (startup) instructions, such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria).
- startup such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria).
- two or more different versions of the resource can be installed and efficiently executed using the same VM instance using the following techniques.
- the system environment e.g., of the VM instance
- the first version of the resource e.g., a software application, such as Microsoft Office®
- the system environment can then be scanned again after completion of the installation of the first version of the resource to determine any new items identified, including, for example, any new files that were saved/installed by the installation, registry setting changes, processes launched, and services installed.
- these new file related items and/or registry key related items can then later be renamed in order to conceal (e.g., hide) the presence of any such file related items and/or registry key related items related to the first version of the resource having been installed in the system environment.
- the system environment After renaming and saving each of such new file related items and/or registry key related items (e.g., using dummy file names and/or dummy directory paths), and performing various additional techniques for handling any new process and/or service related items as further described below, the system environment is returned to an appearance of a clean state as would be apparent to a second version of the resource (e.g., as any items associated with the first version of the resource have been hidden from detection by the renaming of such items to different names/directories and/or renaming any such items to different registry key name/paths, and/or starting/stopping of any processes and/or services, such as further described below).
- certain resources e.g., Microsoft Office® and/or various other applications
- a brute force approach that requires renaming all such items can generally be slow and/or resource expensive.
- another approach can be performed that determines a subset or minimum set of items for renaming to more efficiently perform such renaming operations. For example, assume that for a set of new files located in a directory path of C: ⁇ Program Files ⁇ Microsoft Office ⁇ that only “Microsoft Office” needs to be renamed in order to hide all of the following items.
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ DrawAlerts ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ DrawAlerts ⁇ FTP Sites ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LCCache ⁇ SmartArt ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LCCache ⁇ SmartArt ⁇ 1033 ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LCCache ⁇ Themes ⁇ 1033 ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LCCache ⁇ WordDocParts ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LCCache ⁇ WordDocParts ⁇ 1033 ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LanguageResources ⁇
- HKEY_CURRENT_USER Software ⁇ Microsoft ⁇ Office ⁇ 14.0 ⁇ Common ⁇ LanguageResources ⁇ EnabledLanguages ⁇
- this process can be performed three to ten times faster, depending on the virtual machine execution environment.
- any new processes that are identified during a system environment state scan can be stopped before swapping to another version of the resource (e.g., before launching/executing the second version of the resource), and any corresponding new process for another version of the resource can be started after such a swap (e.g., after stopping execution of the first version of the resource, and starting execution of the second version of the resource).
- any new services that are identified during a system environment state scan e.g., after installation of the first version of the resource
- any such new services can be uninstalled/installed service, if stopping/starting such services is not sufficient to properly execute another version of the resource (e.g., after stopping execution of the first version of the resource, and starting execution of the second version of the resource).
- these renaming and service/process start/stop operations can be performed to swap between different versions of the resource (e.g., swapping from an execution of the first version of the resource to an execution of the second version of the resource and vice versa, such that if a selected version of the resource is to be executed, then the files/registry keys associated with the selected version of the resource that had been renamed to, for example, various dummy file names, can be renamed to expected file names so that the selected version of the resource can execute properly).
- this process of scanning the system environment and performing the above-described resource version specific related operations can be repeated to support installation and execution of additional versions of the resource using the same VM instance.
- the inserting of kernel level and/or user level hooks in the instrumented virtual machine environment can be implemented to facilitate analysis of malware samples. Such hooks may be frequently updated (e.g., by the operator of service 122 ).
- inserting the hooks just prior to execution is efficient, and can also mitigate attempts by malware 130 to determine that it is operating in an instrumented (i.e., hooked) environment (e.g., as certain malware attempt to utilize anti-VM techniques to evade detection in VM environments).
- an instrumented (i.e., hooked) environment e.g., as certain malware attempt to utilize anti-VM techniques to evade detection in VM environments.
- any modifications to the file system are captured.
- any hooks installed in the instrumented virtual machine environment can report log information (e.g., back to appliance 102 and/or cloud security service 122 ) for analysis.
- network traffic can be captured and logged (e.g., using pcap).
- Analyses of the results of emulating the sample are then performed.
- various heuristic techniques are used to analyze the results of emulating the sample in order to detect whether the candidate malware (e.g., malware sample can include a file, which can be opened using an appropriate application, and/or a program, such as a script or other executable code or script) executing in the instrumented virtual machine environment is malware (e.g., by detecting whether the candidate malware is performing malicious behavior by monitoring the instrumented virtual machine environment).
- the candidate malware e.g., malware sample can include a file, which can be opened using an appropriate application, and/or a program, such as a script or other executable code or script
- executing in the instrumented virtual machine environment is malware (e.g., by detecting whether the candidate malware is performing malicious behavior by monitoring the instrumented virtual machine environment).
- the virtual machine instance can then be abandoned and new virtual machine instances can be used to evaluate new malware samples using the techniques disclosed herein.
- output is generated that indicates that the candidate malware is malware (e.g., based at least in part on a determination that the candidate malware is associated with malicious behavior(s)).
- a signature for the attachment can also be generated (e.g., as an MD5 hash-based signature).
- an alert can be generated that instructs data appliance 102 not to provide the attachment to client 104 .
- FIG. 4 is another flow diagram of a process for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- process 400 is performed by malware analysis system 132 .
- the process begins at 402 when candidate malware (e.g., a malware sample) is received.
- candidate malware is received at 402 when an email (e.g., including an attachment) is received by data appliance 102 from system 120 .
- data appliance 102 can be configured to transmit the attachment to service 122 for analysis.
- the candidate malware is received by cloud security service 122 at 402 .
- storing a plurality of installed versions of a resource using dummy file names for one or more registry files and one or more executable files associated with the resource is performed.
- renaming one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name is performed. For example, the dummy file names that are needed for properly executing a selected version of the resource can be renamed to expected file names so that the selected version of the resource can execute properly.
- monitoring the candidate malware sample opened using each version of the resource using the instrumented virtual machine (VM) environment is performed.
- the candidate malware can be analyzed using one or more virtual machines by executing each version of the resource with the candidate malware sample (e.g., malware sample can include a file, which can be opened using each version of the resource, which can be an application program that can open that format of file) in the instrumented virtual machine environment.
- the candidate malware can be executed in one or more virtual machines 114 - 116 and any behaviors logged for analysis by system 132 .
- the candidate malware can be executed in one or more virtual machines 126 - 128 and analyzed by cloud security service 122 .
- the virtual machine instance can be configured to include a set of instructions (e.g., startup instructions, such as in an autoexec.bat file), such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria).
- the set of instructions can also include the instructions to perform the operations described above at 404 and 406 .
- output is generated that indicates that the candidate malware is malware (e.g., based at least in part on a determination that the candidate malware is associated with malicious behavior(s)).
- a signature for the attachment can also be generated (e.g., as an MD5 hash-based signature).
- an alert can be generated that instructs data appliance 102 not to provide the attachment to client 104 .
- FIG. 5 is another flow diagram of a process for providing detection of malware using an instrumented virtual machine environment in accordance with some embodiments.
- process 500 is performed by malware analysis system 132 .
- the process begins at 502 when candidate malware (e.g., a malware sample) is received.
- candidate malware is received at 502 when an email (e.g., including an attachment) is received by data appliance 102 from system 120 .
- data appliance 102 can be configured to transmit the attachment to service 122 for analysis.
- the candidate malware is received by cloud security service 122 at 502 .
- preloading one or more system files that are used by a first version of a resource and/or a second version of the resource into a new resource system file location directory is performed.
- preloading one or more system files can include preloading required libraries (e.g., dynamically loaded libraries (DLLs)) into a local directory so that a program loader can access those files that would not necessarily be available if running a certain version of the operating system (e.g., preloading DLLs into a common files ⁇ Adobe-X local directory such that the Adobe application program loader can access such DLLs on the Windows 8 virtual machine instance for a legacy version of that Adobe application that was configured to execute on Windows XP but not Windows 8).
- DLLs dynamically loaded libraries
- overriding an installer for the resource to redirect the installer to the new resource system file location directory is performed.
- the installer of the resource can be modified to load a correct version of common resources, such as to redirect the installer to access certain directors for loading various system files when installing the resource (e.g., such as for loading certain libraries or other operating systems and/or resource related libraries or other components used for installing the resource).
- C: ⁇ program files ⁇ common files ⁇ resource-X′′ is a directory for files that will be loaded across the versions; such files can place different versions of files, such as libraries or other common files used by resource-X, under different folders, and redirect the loader to load the correct version of the resource-X; or such resources can be renamed to the correct path before a given version of the resource-X is executed such that it can find the correct version of such libraries or other common files used by resource-X).
- the installer of the resource can be modified to bypass a version check during installation (e.g., by disabling version check installer logic and/or hiding/concealing the files/registries that the installer would typically be configured to look for, etc.).
- monitoring the candidate malware sample opened using each version of the resource using the instrumented virtual machine (VM) environment is performed.
- the candidate malware can be analyzed using one or more virtual machines by executing each version of the resource with the candidate malware sample (e.g., malware sample can include a file, which can be opened using each version of the resource, which can be an application program that can open that format of file) in the instrumented virtual machine environment.
- the candidate malware can be executed in one or more virtual machines 114 - 116 and any behaviors logged for analysis by system 132 .
- the candidate malware can be executed in one or more virtual machines 126 - 128 and analyzed by cloud security service 122 .
- the virtual machine instance can be configured to include a set of (startup) instructions, such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria).
- the set of instructions can also include the instructions to perform the operations described above at 504 and 506 .
- the set of instructions can also include the instructions to perform the operations described above at 404 and 406 as well as to perform the operations described above at 504 and 506 .
- output is generated that indicates that the candidate malware is malware (e.g., based at least in part on a determination that the candidate malware is associated with malicious behavior(s)).
- a signature for the attachment can also be generated (e.g., as an MD5 hash-based signature).
- an alert can be generated that instructs data appliance 102 not to provide the attachment to client 104 .
Abstract
Various techniques for detection of malware using an instrumented virtual machine environment are disclosed. In some embodiments, detection of malware using an instrumented virtual machine environment includes instantiating a first virtual machine in the instrumented virtual machine environment, in which the first virtual machine is configured to support installation of two or more versions of a resource; installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource; and installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource.
Description
A firewall generally protects networks from unauthorized access while permitting authorized communications to pass through the firewall. A firewall is typically a device or a set of devices, or software executed on a device, such as a computer, that provides a firewall function for network access. For example, firewalls can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices). Firewalls can also be integrated into or executed as software on computer servers, gateways, network/routing devices (e.g., network routers), or data appliances (e.g., security appliances or other types of special purpose devices).
Firewalls typically deny or permit network transmission based on a set of rules. These sets of rules are often referred to as policies. For example, a firewall can filter inbound traffic by applying a set of rules or policies. A firewall can also filter outbound traffic by applying a set of rules or policies. Firewalls can also be capable of performing basic routing functions.
Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
A firewall generally protects networks from unauthorized access while permitting authorized communications to pass through the firewall. A firewall is typically a device, a set of devices, or software executed on a device that provides a firewall function for network access. For example, a firewall can be integrated into operating systems of devices (e.g., computers, smart phones, or other types of network communication capable devices). A firewall can also be integrated into or executed as software applications on various types of devices or security devices, such as computer servers, gateways, network/routing devices (e.g., network routers), or data appliances (e.g., security appliances or other types of special purpose devices).
Firewalls typically deny or permit network transmission based on a set of rules. These sets of rules are often referred to as policies (e.g., network policies or network security policies). For example, a firewall can filter inbound traffic by applying a set of rules or policies to prevent unwanted outside traffic from reaching protected devices. A firewall can also filter outbound traffic by applying a set of rules or policies (e.g., allow, block, monitor, notify or log, and/or other actions can be specified in firewall rules or firewall policies, which can be triggered based on various criteria, such as described herein).
Security devices (e.g., security appliances, security gateways, security services, and/or other security devices) can include various security functions (e.g., firewall, anti-malware, intrusion prevention/detection, proxy, and/or other security functions), networking functions (e.g., routing, Quality of Service (QoS), workload balancing of network related resources, and/or other networking functions), and/or other functions. For example, routing functions can be based on source information (e.g., IP address and port), destination information (e.g., IP address and port), and protocol information.
A basic packet filtering firewall filters network communication traffic by inspecting individual packets transmitted over a network (e.g., packet filtering firewalls or first generation firewalls, which are stateless packet filtering firewalls). Stateless packet filtering firewalls typically inspect the individual packets themselves and apply rules based on the inspected packets (e.g., using a combination of a packet's source and destination address information, protocol information, and a port number).
Application firewalls can also perform application layer filtering (e.g., using application layer filtering firewalls or second generation firewalls, which work on the application level of the TCP/IP stack). Application layer filtering firewalls or application firewalls can generally identify certain applications and protocols (e.g., web browsing using HyperText Transfer Protocol (HTTP), a Domain Name System (DNS) request, a file transfer using File Transfer Protocol (FTP), and various other types of applications and other protocols, such as Telnet, DHCP, TCP, UDP, and TFTP (GSS)). For example, application firewalls can block unauthorized protocols that attempt to communicate over a standard port (e.g., an unauthorized/out of policy protocol attempting to sneak through by using a non-standard port for that protocol can generally be identified using application firewalls).
Stateful firewalls can also perform stateful-based packet inspection in which each packet is examined within the context of a series of packets associated with that network transmission's flow of packets/packet flow (e.g., stateful firewalls or third generation firewalls). This firewall technique is generally referred to as a stateful packet inspection as it maintains records of all connections passing through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. For example, the state of a connection can itself be one of the criteria that triggers a rule within a policy.
Advanced or next generation firewalls can perform stateless and stateful packet filtering and application layer filtering as discussed above. Next generation firewalls can also perform additional firewall techniques. For example, certain newer firewalls sometimes referred to as advanced or next generation firewalls can also identify users and content. In particular, certain next generation firewalls are expanding the list of applications that these firewalls can automatically identify to thousands of applications. Examples of such next generation firewalls are commercially available from Palo Alto Networks, Inc. (e.g., Palo Alto Networks' PA Series firewalls).
For example, Palo Alto Networks' next generation firewalls enable enterprises to identify and control applications, users, and content—not just ports, IP addresses, and packets—using various identification technologies, such as the following: APP-ID for accurate application identification, User-ID for user identification (e.g., by user or user group), and Content-ID for real-time content scanning (e.g., controls web surfing and limits data and file transfers). These identification technologies allow enterprises to securely enable application usage using business-relevant concepts, instead of following the traditional approach offered by traditional port-blocking firewalls. Also, special purpose hardware for next generation firewalls implemented, for example, as dedicated appliances generally provide higher performance levels for application inspection than software executed on general purpose hardware (e.g., such as security appliances provided by Palo Alto Networks, Inc., which utilize dedicated, function specific processing that is tightly integrated with a single-pass software engine to maximize network throughput while minimizing latency).
Dynamic Analysis to Identify and Block Unknown Threats
However, a significant challenge for security detection techniques is to identify threats (e.g., malware, which refers to malicious programs, such as programs attempting to perform malicious or undesired actions) attempting to use new exploits, such as zero-day threats that have not previously been identified (e.g., targeted and unknown threats). For example, a new zero-day threat and/or an Advanced Persistent Threat (APT) (e.g., various techniques using malware to exploit vulnerabilities in systems and often using an external command and control for continuously monitoring and extracting data from a specific target, often using stealthy, persistent methods that can evade traditional security measures, such as signature-based malware detection measures) that has not previously been identified (e.g., for which no signature yet exists) can exploit new or unresolved vulnerabilities in an application or operation system.
In particular, modern attackers are increasingly using targeted and new unknown variants of malware to avoid detection by traditional security solutions. For example, advanced security threats (e.g., advanced cyber-attacks) are employing stealthy, persistent methods to evade traditional security measures. Skilled adversaries demand that modern security teams re-evaluate their basic assumptions that traditional intrusion prevention systems, antivirus, and single-purpose sandbox appliances are up to the task of defeating advanced security threats, such as APTs.
To address this, new and improved techniques are needed to efficiently and effectively identify such new and evolving malware. For example, by executing suspect files (e.g., malware samples) in a virtual environment (e.g., an instrumented virtual environment, which is sometimes also referred to as using a sandbox analysis of malware samples, which can be unknown threats) and observing their behavior, such malware can be quickly and accurately identified, even if the malware sample has not been previously analyzed and detected.
Once a file is deemed malicious (e.g., a malware sample is deemed to be malware), protections can be automatically generated using a cloud security service (e.g., implementing a dynamic security analysis of malware samples in a scalable cloud-based, virtual environment to directly observe the behavior of potentially malicious malware and exploits) to be delivered to subscribers of the cloud security service (e.g., within minutes or hours of detection). For example, such techniques can also be used to forensically determine who/what was targeted, including the application used in the delivery, any Uniform Resource Locator addresses (URLs) that were part of the attack, etc. (e.g., when an unknown threat is discovered, techniques disclosed herein can automatically generate protections to block the threat across the cyber kill-chain, sharing these updates with subscribers of the cloud security service within minutes or hours of detection, such that these quick updates can stop rapidly spreading malware, as well as identify and block the proliferation of potential future variants without any additional action or analysis). As disclosed herein, the cloud security service identifies unknown malware, zero-day exploits, and Advanced Persistent Threats (APTs) by directly executing them in a scalable cloud-based, virtual sandbox environment (e.g., an instrumented virtual environment). Also, the cloud security service automatically creates and disseminates protections in near real-time to help security teams meet the challenge of advanced security threats. In an example implementation, cloud security service extends the next-generation firewall platform that natively classifies all traffic across many different applications, and the cloud security service can apply a behavioral analysis regardless of ports or encryption, including full visibility into web traffic, email protocols (SMTP, IMAP, POP), FTP, SMB, and/or other protocols to facilitate detection and dissemination protections in near real-time to respond to such advanced security threats.
However, detection of malware using an instrumented virtual environment can be costly in terms of required computing resources (e.g., including processor and memory usage and computing time) used to perform dynamic security analysis using such an instrumented virtual environment. For example, existing sandbox approaches to malware detection typically only install one version of software (e.g., applications or other software) per virtual machine instance, which can be inefficient and/or limit malware detection rates (e.g., as certain malware may only exploit vulnerabilities in certain versions of software). As another example, some other existing approaches execute multiple virtual machine instances with different software configurations (e.g., sequentially or simultaneously), but performing such approaches can be very resource consuming and/or time consuming.
Thus, what are needed are new and improved techniques for detection of malware using an instrumented virtual machine environment. For example, various techniques described herein can more efficiently perform detection of malware using an instrumented virtual machine environment (e.g., more efficiently using computing resources, including processor and memory usage and computing time, used to perform dynamic security analysis using such an instrumented virtual environment). In addition, these techniques described herein can also provide an enhanced detection rate of malware using an instrumented virtual machine environment that is performed more efficiently as further discussed below.
Accordingly, various techniques for detection of malware using an instrumented virtual machine environment are disclosed. In some embodiments, detection of malware using an instrumented virtual machine environment includes instantiating a first virtual machine in the instrumented virtual machine environment, in which the first virtual machine is configured to support installation of two or more versions of a resource; installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource; and installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource. In an example implementation, the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine. In some embodiments, any items that are associated with a particular version of the resource can be renamed in order to conceal (e.g., hide) the presence of that version of the resource having been installed in the system environment. For example, any file related items and/or registry key related items can be renamed and various additional techniques can be performed for handling any new process and/or service related items as further described below, such that the system environment can be returned to an appearance of a clean state as would be apparent to another version of the resource (e.g., as any items associated with the first version of the resource have been hidden from detection by the renaming of such items to different names/directories and/or renaming any such items to different registry key name/paths, and/or starting/stopping of any processes and/or services, such as further described below with respect to FIG. 3 ).
For example, the resource can include an executable application, and the malware sample can include a file in a format that is compatible with the executable application (e.g., the application can open the malware sample file). In particular, the instrumented virtual machine environment is monitored while executing each version of the resource with the malware sample opened using each version of the application for at least a predetermined period of time or until malicious behavior is detected (e.g., if there are four versions of the application, then a six minute period of time can be equally allocated among each of the four versions of the application, such that the malware sample is opened using each of the four versions of the malware sample and monitored for approximately one minute and thirty seconds).
In some embodiments, detection of malware using an instrumented virtual machine environment further includes storing a plurality of installed versions of the resource using dummy file names for one or more registry files and one or more executable files associated with the resource; and for each version of the resource to be executed, renaming one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name (e.g., the dummy file names that are needed for properly executing a selected version of the application can be renamed to expected file names so that the selected version of the application can execute properly).
In some embodiments, detection of malware using an instrumented virtual machine environment further includes preloading one or more system files (e.g., required libraries, such as dynamically loaded libraries (DLLs)) that are used by the first version of the resource and/or the second version of the resource into a new resource system file location directory; and overriding an installer for the resource to redirect the installer to the new resource system file location directory.
In some embodiments, detection of malware using an instrumented virtual machine environment further includes receiving the malware sample at a cloud security service from a security device, in which the instrumented virtual environment is monitored during execution of each version of the resource with the malware sample opened using each version of the resource to determine whether the malware sample indicates potentially malicious behavior
In some embodiments, detection of malware using an instrumented virtual machine environment further includes capturing network traffic while monitoring the instrumented virtual machine environment. In some embodiments, the instrumented virtual machine environment is configured to include at least one kernel hook and/or at least one user level hook. In some embodiments, the instrumented virtual machine environment is configured to include at least one honey file.
Accordingly, various techniques for detection of malware using an instrumented virtual machine environment are disclosed. For example, using such techniques can facilitate an efficient and enhanced detection of malware using an instrumented virtual machine environment. As will be apparent to one skilled in the art in view of the various techniques and embodiments described herein, while the various techniques described herein for detection of malware using an instrumented virtual machine environment are described with respect to virtual environments using a security service (e.g., a cloud security service), such techniques can similarly be applied to various other security environments, including, for example, performed in part or completely using security devices such as appliances, gateways, servers, and/or other security platforms capable of implementing various virtual environment techniques disclosed herein.
In the example shown in FIG. 1 , client devices 104, 106, and 108 are a laptop computer, a desktop computer, and a tablet (respectively) present in an enterprise network 110. Data appliance 102 is configured to enforce policies regarding communications between clients, such as clients 104 and 106, and nodes outside of enterprise network 110 (e.g., reachable via external network 118, such as the Internet). Examples of such policies include ones governing traffic shaping, quality of service, and routing of traffic. Other examples of policies include security policies such as ones requiring the scanning for threats in incoming (and/or outgoing) email attachments, website downloads, files exchanged through instant messaging programs, and/or other file transfers. In some embodiments, appliance 102 is also configured to enforce policies with respect to traffic that stays within enterprise network 110.
Whenever appliance 102 is described as performing a task, a single component, a subset of components, or all components of appliance 102 may cooperate to perform the task. Similarly, whenever a component of appliance 102 is described as performing a task, a subcomponent may perform the task and/or the component may perform the task in conjunction with other components. In various embodiments, portions of appliance 102 are provided by one or more third parties. Depending on factors such as the amount of computing resources available to appliance 102, various logical components and/or features of appliance 102 may be omitted and the techniques described herein adapted accordingly. Similarly, additional logical components/features can be added to system 102 as applicable.
As will be described in more detail below, appliance 102 can be configured to work in cooperation with one or more virtual machine servers (112, 124) to perform malware analysis/prevention, including various techniques for providing detection of malware using an instrumented virtual machine environment as disclosed herein. As one example, data appliance 102 can be configured to provide a copy of malware 130 (e.g., a malware sample, which can include potentially malicious content) to one or more of the virtual machine servers for real-time analysis. As another example, a cloud security service 122 can provide a list of signatures of known-malicious documents to appliance 102 as part of a subscription. Those signatures can be generated by service 122 in conjunction with the techniques described herein. For example, if service 122 identifies a new malware associated with the malware sample received from a data appliance (e.g., data appliance 102 or another data appliance), such as using various techniques for providing detection of malware using an instrumented virtual machine environment as disclosed herein, cloud security service 122 can automatically generate a new signature for the newly identified malware and send the new signature to various subscribers (e.g., data appliance 102 and various other data appliances that receive subscription-based signature updates).
An example of a virtual machine server is a physical machine comprising commercially available server-class hardware (e.g., a multi-core processor such as a dual 6-core Intel® processor with Hyper-Threading, 4 or more Gigabytes of RAM such as a 128 GB RAM, a system disk such as a 120 GB SSD, and one or more Gigabit network interface adapters) that runs commercially available virtualization software, such as VMware ESXi, Citrix XenServer, or Microsoft Hyper-V (e.g., such a VM environment can emulate the Windows® XP operating system environment using the dual 6-core Intel® processor with Hyper-Threading and 512 MB of RAM, the Windows® 7 operating system environment using the dual 6-core Intel® processor with Hyper-Threading and 1 GB of RAM, and/or other operating system environments and/or using different hardware capacity/components). The virtual machine servers may be separate from, but in communication with, data appliance 102, as shown in FIG. 1 . A virtual machine server may also perform some or all of the functions of data appliance 102, and a separate data appliance 102 is omitted as applicable. Further, a virtual machine server may be under the control of the same entity that administers data appliance 102 (e.g., virtual machine server 112); the virtual machine server may also be provided by a third party (e.g., virtual machine server 124, which can be configured to provide services to appliance 102 via third party service 122). In some embodiments, data appliance 102 is configured to use one or the other of virtual machine servers 112 and 124 for malware analysis. In other embodiments, data appliance 102 is configured to use the services of both servers (and/or additional servers not shown). Thus, in some implementations, the cloud security service can be delivered either as a public cloud or as a private cloud (e.g., deployed locally on an enterprise network using a locally deployed data appliance or server).
In some embodiments, the virtual machine server 124 is configured to implement various emulation-based techniques for providing detection of malware using an instrumented virtual machine environment as described herein with respect to various embodiments (e.g., implemented using instrumented VM environments 126 and 128, which can be executed by cloud security service 122 and/or malware analysis system 132, such as described below with respect to FIGS. 3 and 4 , and with respect to various other embodiments disclosed herein). For example, the virtual machine server 124 can provide an instrumented virtual machine environment capable of performing the various techniques as described herein. These instrumented virtual machine (VM) environments 126 and 128 can include, for example, various user level hooks and/or kernel level hooks in the emulated execution environment to facilitate the monitoring of various program behaviors during execution in the virtual environment (e.g., instrumented VM environments, such as described above) and to log such monitored program behaviors for analysis based on the various techniques described herein with respect to various embodiments. Also, in some cases, multiple instances of a malware sample can be performed using multiple VM environments to perform various tests and/or execute using different execution environments (e.g., different versions of an operating system (OS) environment, different versions of an application, etc.).
Applying Instrumented Virtual Machines to Analyze Malware Samples
An instrumented virtual machine (VM) can be used to perform behavior profiling (e.g., in a VM sandbox environment) using various heuristic-based analysis techniques that can be performed in real-time during execution of the program in the instrumented virtual environment, such as during a file transfer (e.g., during an active file/attachment download) and/or on files previously collected (e.g., a collection of files submitted for batch analysis). Documents, executables, and other forms of potentially malicious content (e.g., to be evaluated) are referred to herein as “malware samples” or just “samples.”
As one example, suppose a malicious user of system 120 sends an email message to a user of client 104 that includes a suspicious or malicious attachment. The attachment may be an executable (e.g., having a file extension of, for example, .exe or .js or some other executable related file extension) and may also be a document (e.g., having a file extension of, for example, .doc or .pdf or some other document related file extension). The message is received by data appliance 102, which determines whether a signature for the attachment is present on data appliance 102. A signature, if present, can indicate that the attachment is known to be safe, and can also indicate that the attachment is known to be malicious. If no signature for the attachment is found, data appliance 102 is configured to provide the attachment to a virtual machine server, such as virtual machine server 112, for analysis.
As discussed above, instantiating multiple virtual machine instances for performing analysis of a given malware sample can be expensive from a computing resources perspective and can also be inefficient from a compute time perspective (e.g., due to the time required to launch an instance of a VM with desired resources, etc., and CPU and memory requirements for executing multiple such VMs on an appliance/server). Thus, to improve performance of malware detection using an instrumented virtual machine environment, in some embodiments, a virtual machine is instantiated in the instrumented virtual machine environment (e.g., virtual machines 114 and/or 116), in which the virtual machine is configured to support installation of two or more versions of a resource (e.g., an executable application that can be used for opening the malware sample which can include a file in a format that is compatible with the executable application, such as two or more versions of Adobe Acrobat® for opening a malware sample that is a PDF file format (.pdf) or two or more versions of Microsoft Word® for opening a malware sample that is a Word document file format (.doc), etc.). Such a virtual machine can then be used to install a first version of the resource and monitor the instrumented virtual machine environment while executing the first version of the resource with the malware sample opened using the first version of the resource. This virtual machine can then also be used to install a second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource. As such, the instrumented virtual machine environment can be monitored while executing each version of the resource with the malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected (e.g., if there are four versions of the application, then a six minute period of time can be equally allocated among each of the four versions of the application, such that the malware sample is opened using each of the four versions of the malware sample and monitored for approximately 1 minute and 30 seconds). This approach allows for an efficient analysis of the malware sample using multiple different versions of the resource for opening the malware sample and monitoring behavior in the instrumented virtual environment without having to re-instantiate the virtual machine to install and execute such different versions of the resource (e.g., executable application versions).
In some embodiments, such VM-based analysis techniques are performed by the VM server (e.g., VM server 112). In other embodiments, such VM-based analysis techniques are performed at least in part by appliance 102 (e.g., or in some cases, such VM-based analysis techniques can be performed completely by the appliance 102). The malware analysis and enforcement functionality illustrated in FIG. 1 as being provided by data appliance 102 and VM server 112 is also referred to herein as being provided by malware analysis system 132. As explained above, portions of malware analysis system 132 may be provided by multiple distinct devices, but may also be provided on a single platform, as applicable.
If the malware sample (e.g., attachment) is determined to be malicious, appliance 102 can automatically block the file download based on the analysis result. Further, in some embodiments, a signature can be generated and distributed (e.g., to other data appliances) to automatically block future file transfer requests to download the file determined to be malicious.
Techniques for Providing an Efficient and Enhanced Detection of Malware Using an Instrumented Virtual Machine Environment
Malware often leverages exploits that are specific to a particular system configuration or set of system configurations. For example, malware 130 might be able to successfully compromise a computer system running a particular operating system version and/or a particular application version, such as Adobe Acrobat® Version 9.0 (e.g., running on client 104), but be unable to compromise a computer system running any versions of Adobe Acrobat® Version 10.0 (e.g., running on client 106). If the only virtual machine used to evaluate malware 130 is an instrumented virtual machine environment with Adobe Acrobat® Version 9.0 installed, then the malicious nature of malware 130 might not be discovered. As another example, malware 130 might be able to successfully compromise a system upon which a particular combination of software is installed (e.g., a specific version of Internet Explorer with a specific version of Java). If the only virtual machine image(s) used to evaluate malware 130 include only one but not both applications, or include different versions of those applications, then the malicious nature of malware 130 might not be discovered.
Some computing environments are relatively homogenous. For example, every employee at a startup might be issued the same laptop, running the same operating system, and with the same base applications installed. More typically, however, a range of different platforms and configurations is supported (e.g., in an enterprise environment). Further, certain employees (e.g., in the Finance Department) may need access to additional software (e.g., Microsoft Access®) not included on the systems of other users. And, employees are often allowed to customize their systems, e.g., by adding or removing software.
Suppose malware 130 targets Microsoft Windows systems. Further suppose that the IT Department of Acme Company supports the following: Windows 7 operating system with either Internet Explorer 9 or 10, and any of Microsoft Office 2007 and 2010 installed. An Acme Company employee may thus potentially be opening malware 130 on any of four different officially supported Windows system and application version configurations. Using the techniques described herein, malware analysis system 132 can efficiently evaluate malware 130 using a single virtual machine instance that can then install and execute each of these four potential application version configurations and will be able to detect that malware 130 is malicious. In particular, this approach to providing dynamic security analysis using an instrumented virtual machine environment is efficiently performed in this case without having to re-instantiate the virtual machine instance by installing and executing each of these four different combinations of application versions in the single virtual machine instance for the Windows 7 operating system. As would be apparent to those of ordinary skill in the art, this approach is more efficient, because such an approach requires less computing resources and time than instantiating and executing four different virtual machine instances corresponding to each of the four potential application version configurations in order to detect that malware 130 is malicious. Thus, as will be described in more detail below, performing runtime installations of different resources (e.g., different versions of one or more applications) can efficiently be made to a single virtual machine instance (e.g., to efficiently test multiple different potential system configurations) to facilitate an efficient detection of and enhanced detection rate of malware using an instrumented virtual machine environment.
A variety of techniques for detection of malware using an instrumented virtual machine environment will be described in conjunction with FIG. 3 .
At 304, instantiating a first virtual machine (i.e., launching a single virtual machine instance for execution) in the instrumented virtual machine environment is performed. In particular, the first virtual machine is configured to support installation of two or more versions of a resource. For example, the candidate malware can be executed in one of virtual machines 114-116 and any behaviors logged for analysis by system 132. As another example, the candidate malware can be executed in one of virtual machines 126-128 and analyzed by cloud security service 122.
At 306, installing a first version of a resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource is performed. For example, the candidate malware can be analyzed by opening the candidate malware using the first version of the resource and monitoring behaviors using the instrumented virtual machine environment (e.g., for a predetermined period of time and/or until malicious behavior/activity is detected). In an example implementation, the first virtual machine instance can be configured to include a set of instructions (e.g., startup instructions, such as in an autoexec.bat file), such as a set of instructions to install the first version of the resource and to open the candidate malware using the first version of the resource.
At 308, installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource is performed. In an example implementation, the first virtual machine instance can be configured to include a set of instructions (e.g., startup instructions, such as in an autoexec.bat file), such as a set of instructions to install the second version of the resource (e.g., after a predetermined period of time and/or based on other criteria) and to open the candidate malware using the second version of the resource. In particular, the candidate malware can also be analyzed by opening the candidate malware using the second version of the resource and monitoring behaviors using the instrumented virtual machine environment (e.g., for a predetermined period of time and/or until malicious behavior/activity is detected). In this example, the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
In some embodiments, the resource includes an executable application, and the malware sample includes a file in a format that is compatible with the executable application (e.g., the application can open the malware sample file). In an example implementation, the instrumented virtual machine environment is monitored while executing each version of the application with the malware sample opened using each version of the application for at least a predetermined period of time or until malicious behavior is detected (e.g., and/or until some other criteria is satisfied). In this example implementation, if there are two versions of the application, then a six minute period of time can be equally allocated among each of the two versions of the application, such that the malware sample is opened using each of the two versions of the malware sample and monitored for approximately three minutes. As similarly discussed above, the virtual machine instance can be configured to include a set of (startup) instructions, such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria).
In some embodiments, two or more different versions of the resource can be installed and efficiently executed using the same VM instance using the following techniques. First, the system environment (e.g., of the VM instance) can be scanned (e.g., including files, registry settings, processes, and services) in a clean state (e.g., prior to installing a version of the resource). Then, the first version of the resource (e.g., a software application, such as Microsoft Office®) can be installed. The system environment can then be scanned again after completion of the installation of the first version of the resource to determine any new items identified, including, for example, any new files that were saved/installed by the installation, registry setting changes, processes launched, and services installed. For example, these new file related items and/or registry key related items can then later be renamed in order to conceal (e.g., hide) the presence of any such file related items and/or registry key related items related to the first version of the resource having been installed in the system environment. After renaming and saving each of such new file related items and/or registry key related items (e.g., using dummy file names and/or dummy directory paths), and performing various additional techniques for handling any new process and/or service related items as further described below, the system environment is returned to an appearance of a clean state as would be apparent to a second version of the resource (e.g., as any items associated with the first version of the resource have been hidden from detection by the renaming of such items to different names/directories and/or renaming any such items to different registry key name/paths, and/or starting/stopping of any processes and/or services, such as further described below).
In some cases, certain resources (e.g., Microsoft Office® and/or various other applications) can install many different files and registry keys. A brute force approach that requires renaming all such items can generally be slow and/or resource expensive. As a result, in some embodiments, another approach can be performed that determines a subset or minimum set of items for renaming to more efficiently perform such renaming operations. For example, assume that for a set of new files located in a directory path of C:\Program Files\Microsoft Office\ that only “Microsoft Office” needs to be renamed in order to hide all of the following items.
C:\Program Files\Microsoft Office\CLIPART\
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00004_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00011_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00021_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00037_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00038_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00040_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00052_.GIF
C:\Program Files\Microsoft Office\CLIPART\PUB60COR\AG00057_.GIF
As another example, assume that for a set of new registry keys located in a directory path of HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\ that only “14.0” needs to be renamed in order to hide all of the following items.
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DrawAlerts\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\DrawAlerts\FTP Sites\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\General\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\SmartArt\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\SmartArt\1033\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\Themes\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\Themes\1033\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\WordDocParts\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LCCache\WordDocParts\1033\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Common\LanguageResources\EnabledLanguages\
In an example implementation, by using such a minimum rename set for efficiently performing such renaming operations, this process can be performed three to ten times faster, depending on the virtual machine execution environment.
In case of any new processes that are identified during a system environment state scan (e.g., after installation of the first version of the resource), any such new processes can be stopped before swapping to another version of the resource (e.g., before launching/executing the second version of the resource), and any corresponding new process for another version of the resource can be started after such a swap (e.g., after stopping execution of the first version of the resource, and starting execution of the second version of the resource).
In case of any new services that are identified during a system environment state scan (e.g., after installation of the first version of the resource), any such new services can be uninstalled/installed service, if stopping/starting such services is not sufficient to properly execute another version of the resource (e.g., after stopping execution of the first version of the resource, and starting execution of the second version of the resource).
As such, using the above-described techniques, two different versions of the resource can be installed and efficiently executed using the same VM instance. As would now be apparent to those of ordinary skill in the art, these renaming and service/process start/stop operations can be performed to swap between different versions of the resource (e.g., swapping from an execution of the first version of the resource to an execution of the second version of the resource and vice versa, such that if a selected version of the resource is to be executed, then the files/registry keys associated with the selected version of the resource that had been renamed to, for example, various dummy file names, can be renamed to expected file names so that the selected version of the resource can execute properly). As would also now be apparent to those of ordinary skill in the art, this process of scanning the system environment and performing the above-described resource version specific related operations (e.g., renaming of certain files and registry keys, starting/stopping of certain services and/or processes, etc., to facilitate proper execution of different versions of the resource in the system environment) can be repeated to support installation and execution of additional versions of the resource using the same VM instance.
At 310, a determination is made as to whether the candidate malware is malware (e.g., by detecting whether the candidate malware is performing malicious behavior or activity in the instrumented virtual environment). For example, data resulting from the executing of the virtual machine instance executing two different versions of the resource for opening the candidate malware is captured. In particular, the inserting of kernel level and/or user level hooks in the instrumented virtual machine environment can be implemented to facilitate analysis of malware samples. Such hooks may be frequently updated (e.g., by the operator of service 122). In an example implementation, inserting the hooks just prior to execution is efficient, and can also mitigate attempts by malware 130 to determine that it is operating in an instrumented (i.e., hooked) environment (e.g., as certain malware attempt to utilize anti-VM techniques to evade detection in VM environments). As one example, at 306 and/or 308, any modifications to the file system are captured. As another example, at 306 and/or 308, any hooks installed in the instrumented virtual machine environment can report log information (e.g., back to appliance 102 and/or cloud security service 122) for analysis. As yet another example, at 306 and/or 308, network traffic can be captured and logged (e.g., using pcap).
Analyses of the results of emulating the sample are then performed. In some embodiments, various heuristic techniques are used to analyze the results of emulating the sample in order to detect whether the candidate malware (e.g., malware sample can include a file, which can be opened using an appropriate application, and/or a program, such as a script or other executable code or script) executing in the instrumented virtual machine environment is malware (e.g., by detecting whether the candidate malware is performing malicious behavior by monitoring the instrumented virtual machine environment). As explained above, conclusions can be made as to whether the samples are malicious, and signatures can be generated for future use. The virtual machine instance can then be abandoned and new virtual machine instances can be used to evaluate new malware samples using the techniques disclosed herein.
And, if a determination is made that the candidate malware is malware, then at 310, output is generated that indicates that the candidate malware is malware (e.g., based at least in part on a determination that the candidate malware is associated with malicious behavior(s)). As one example, at 310, a signature for the attachment can also be generated (e.g., as an MD5 hash-based signature). As another example, instead of or in addition to generating a signature, an alert can be generated that instructs data appliance 102 not to provide the attachment to client 104.
At 404, storing a plurality of installed versions of a resource using dummy file names for one or more registry files and one or more executable files associated with the resource is performed.
At 406, for each version of the resource to be executed, renaming one or more of the dummy file names associated with the version of the resource being executed to a predetermined file name is performed. For example, the dummy file names that are needed for properly executing a selected version of the resource can be renamed to expected file names so that the selected version of the resource can execute properly.
At 408, monitoring the candidate malware sample opened using each version of the resource using the instrumented virtual machine (VM) environment is performed. For instance, the candidate malware can be analyzed using one or more virtual machines by executing each version of the resource with the candidate malware sample (e.g., malware sample can include a file, which can be opened using each version of the resource, which can be an application program that can open that format of file) in the instrumented virtual machine environment. As an example, the candidate malware can be executed in one or more virtual machines 114-116 and any behaviors logged for analysis by system 132. As another example, the candidate malware can be executed in one or more virtual machines 126-128 and analyzed by cloud security service 122.
In an example implementation, the virtual machine instance can be configured to include a set of instructions (e.g., startup instructions, such as in an autoexec.bat file), such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria). In this example implementation, the set of instructions can also include the instructions to perform the operations described above at 404 and 406.
At 410, a determination is made as to whether the candidate malware is malware (e.g., by detecting whether the candidate malware is performing malicious behavior or activity in the instrumented virtual environment). For example, data resulting from the executing of the virtual machine instance executing two different versions of the resource for opening the candidate malware is captured, as similarly discussed above. As also explained above, conclusions can be made as to whether the samples are malicious, and signatures can be generated for future use. The virtual machine instance can then be abandoned and new virtual machine instances used to evaluate new malware samples using the techniques disclosed herein.
And, if a determination is made that the candidate malware is malware, then at 410, output is generated that indicates that the candidate malware is malware (e.g., based at least in part on a determination that the candidate malware is associated with malicious behavior(s)). As one example, at 410, a signature for the attachment can also be generated (e.g., as an MD5 hash-based signature). As another example, instead of or in addition to generating a signature, an alert can be generated that instructs data appliance 102 not to provide the attachment to client 104.
At 504, preloading one or more system files that are used by a first version of a resource and/or a second version of the resource into a new resource system file location directory is performed. For example, preloading one or more system files can include preloading required libraries (e.g., dynamically loaded libraries (DLLs)) into a local directory so that a program loader can access those files that would not necessarily be available if running a certain version of the operating system (e.g., preloading DLLs into a common files\Adobe-X local directory such that the Adobe application program loader can access such DLLs on the Windows 8 virtual machine instance for a legacy version of that Adobe application that was configured to execute on Windows XP but not Windows 8).
At 506, overriding an installer for the resource to redirect the installer to the new resource system file location directory is performed. For example, the installer of the resource can be modified to load a correct version of common resources, such as to redirect the installer to access certain directors for loading various system files when installing the resource (e.g., such as for loading certain libraries or other operating systems and/or resource related libraries or other components used for installing the resource). In particular, to prevent abnormal operation of a selected version of the resource during execution, certain common resources often would have to be loaded in order to properly select the version of the resource (e.g., C:\program files\common files\resource-X″ is a directory for files that will be loaded across the versions; such files can place different versions of files, such as libraries or other common files used by resource-X, under different folders, and redirect the loader to load the correct version of the resource-X; or such resources can be renamed to the correct path before a given version of the resource-X is executed such that it can find the correct version of such libraries or other common files used by resource-X). As another example, the installer of the resource can be modified to bypass a version check during installation (e.g., by disabling version check installer logic and/or hiding/concealing the files/registries that the installer would typically be configured to look for, etc.).
At 508, monitoring the candidate malware sample opened using each version of the resource using the instrumented virtual machine (VM) environment is performed. For instance, the candidate malware can be analyzed using one or more virtual machines by executing each version of the resource with the candidate malware sample (e.g., malware sample can include a file, which can be opened using each version of the resource, which can be an application program that can open that format of file) in the instrumented virtual machine environment. As an example, the candidate malware can be executed in one or more virtual machines 114-116 and any behaviors logged for analysis by system 132. As another example, the candidate malware can be executed in one or more virtual machines 126-128 and analyzed by cloud security service 122.
In an example implementation, the virtual machine instance can be configured to include a set of (startup) instructions, such as a set of instructions to load the candidate malware using each version of the resource (e.g., where malware 130 is a Microsoft Word or PDF document, and the loading of the malware can be configured to be performed for each version based on a predetermined period of time and/or other criteria). In this example implementation, the set of instructions can also include the instructions to perform the operations described above at 504 and 506. In another example implementation, the set of instructions can also include the instructions to perform the operations described above at 404 and 406 as well as to perform the operations described above at 504 and 506.
At 510, a determination is made as to whether the candidate malware is malware (e.g., by detecting whether the candidate malware is performing malicious behavior or activity in the instrumented virtual environment). For example, data resulting from the executing of the virtual machine instance executing two different versions of the resource for opening the candidate malware is captured, as similarly discussed above. As also explained above, conclusions can be made as to whether the samples are malicious, and signatures can be generated for future use. The virtual machine instance can then be abandoned and new virtual machine instances used to evaluate new malware samples using the techniques disclosed herein.
And, if a determination is made that the candidate malware is malware, then at 510, output is generated that indicates that the candidate malware is malware (e.g., based at least in part on a determination that the candidate malware is associated with malicious behavior(s)). As one example, at 510, a signature for the attachment can also be generated (e.g., as an MD5 hash-based signature). As another example, instead of or in addition to generating a signature, an alert can be generated that instructs data appliance 102 not to provide the attachment to client 104.
Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.
Claims (15)
1. A system for detection of malware using an instrumented virtual machine environment, comprising:
a processor configured to:
instantiate a first virtual machine in the instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
install a first version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource, comprising to:
store the first version of the resource using a first dummy file name for a registry file associated with the resource and a first executable file associated with the resource;
install a second version of the resource on the first virtual machine and monitor the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource, comprising to:
store the second version of the resource using a second dummy file name for the registry file and a second executable file associated with the resource; and
monitor the instrumented virtual machine environment while executing each version of the resource with the malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected, comprising to:
rename the first dummy file name to a first expected file name in order to execute the first version of the resource;
execute the first version of the resource based on the first expected file name and the first executable file;
rename the second dummy file name to a second expected file name in order to execute the second version of the resource; and
execute the second version of the resource based on the second expected file name and the second executable file; and
a memory coupled to the processor and configured to provide the processor with instructions.
2. The system recited in claim 1 , wherein the resource includes an executable application, and wherein the malware sample includes a file in a format that is compatible with the executable application.
3. The system recited in claim 1 , wherein the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
4. The system recited in claim 1 , wherein the processor is further configured to:
preload one or more system files that are used by the first version of the resource and/or the second version of the resource into a new resource system file location directory; and
override an installer for the resource to redirect the installer to the new resource system file location directory.
5. The system recited in claim 1 , wherein the system executes a cloud security service, and wherein the processor is further configured to:
receive the malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of each version of the resource with the malware sample opened using each version of the resource to determine whether the malware sample indicates potentially malicious behavior.
6. A method for detection of malware using an instrumented virtual machine environment, comprising:
instantiating a first virtual machine in the instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource, comprising:
storing the first version of the resource using a first dummy file name for a registry file associated with the resource and a first executable file associated with the resource;
installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource, comprising:
store the second version of the resource using a second dummy file name for the registry file and a second executable file associated with the resource; and
monitoring the instrumented virtual machine environment while executing each version of the resource with the malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected, comprising:
renaming the first dummy file name to a first expected file name in order to execute the first version of the resource;
executing the first version of the resource based on the first expected file name and the first executable file;
renaming the second dummy file name to a second expected file name in order to execute the second version of the resource; and
executing the second version of the resource based on the second expected file name and the second executable file.
7. The method of claim 6 , wherein the resource includes an executable application, and wherein the malware sample includes a file in a format that is compatible with the executable application.
8. The method of claim 6 , wherein the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
9. The method of claim 6 , further comprising:
preloading one or more system files that are used by the first version of the resource and/or the second version of the resource into a new resource system file location directory; and
overriding an installer for the resource to redirect the installer to the new resource system file location directory.
10. The method of claim 6 , wherein the instrumented virtual machine environment is executed by a cloud security service, and further comprising:
receiving the malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of each version of the resource with the malware sample opened using each version of the resource to determine whether the malware sample indicates potentially malicious behavior.
11. A computer program product for detection of malware using an instrumented virtual machine environment, the computer program product being embodied in a non-transitory, tangible computer readable storage medium and comprising computer instructions for:
instantiating a first virtual machine in the instrumented virtual machine environment, wherein the first virtual machine is configured to support installation of two or more versions of a resource;
installing a first version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the first version of the resource with a malware sample opened using the first version of the resource, comprising:
storing the first version of the resource using a first dummy file name for a registry file associated with the resource and a first executable file associated with the resource;
installing a second version of the resource on the first virtual machine and monitoring the instrumented virtual machine environment while executing the second version of the resource with the malware sample opened using the second version of the resource, comprising:
storing the second version of the resource using a second dummy file name for the registry file and a second executable file associated with the resource; and
monitoring the instrumented virtual machine environment while executing each version of the resource with the malware sample opened using each version of the resource for at least a predetermined period of time or until malicious behavior is detected, comprising:
renaming the first dummy file name to a first expected file name in order to execute the first version of the resource;
executing the first version of the resource based on the first expected file name and the first executable file;
renaming the second dummy file name to a second expected file name in order to execute the second version of the resource; and
executing the second version of the resource based on the second expected file name and the second executable file.
12. The computer program product recited in claim 11 , wherein the resource includes an executable application, and wherein the malware sample includes a file in a format that is compatible with the executable application.
13. The computer program product recited in claim 11 , wherein the second version of the resource is installed on the first virtual machine without having to re-instantiate the first virtual machine.
14. The computer program product recited in claim 11 , further comprising computer instructions for:
preloading one or more system files that are used by the first version of the resource and/or the second version of the resource into a new resource system file location directory; and
overriding an installer for the resource to redirect the installer to the new resource system file location directory.
15. The computer program product recited in claim 11 , wherein the instrumented virtual machine environment is executed by a cloud security service, and further comprising computer instructions for:
receiving the malware sample at the cloud security service from a security device, wherein the instrumented virtual machine environment is monitored during execution of each version of the resource with the malware sample opened using each version of the resource to determine whether the malware sample indicates potentially malicious behavior.
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/331,113 US9489516B1 (en) | 2014-07-14 | 2014-07-14 | Detection of malware using an instrumented virtual machine environment |
US15/278,846 US10204221B2 (en) | 2014-07-14 | 2016-09-28 | Detection of malware using an instrumented virtual machine environment |
US16/222,982 US10515210B2 (en) | 2014-07-14 | 2018-12-17 | Detection of malware using an instrumented virtual machine environment |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US14/331,113 US9489516B1 (en) | 2014-07-14 | 2014-07-14 | Detection of malware using an instrumented virtual machine environment |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/278,846 Continuation US10204221B2 (en) | 2014-07-14 | 2016-09-28 | Detection of malware using an instrumented virtual machine environment |
Publications (1)
Publication Number | Publication Date |
---|---|
US9489516B1 true US9489516B1 (en) | 2016-11-08 |
Family
ID=57211009
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US14/331,113 Active 2034-09-19 US9489516B1 (en) | 2014-07-14 | 2014-07-14 | Detection of malware using an instrumented virtual machine environment |
US15/278,846 Active US10204221B2 (en) | 2014-07-14 | 2016-09-28 | Detection of malware using an instrumented virtual machine environment |
US16/222,982 Active US10515210B2 (en) | 2014-07-14 | 2018-12-17 | Detection of malware using an instrumented virtual machine environment |
Family Applications After (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/278,846 Active US10204221B2 (en) | 2014-07-14 | 2016-09-28 | Detection of malware using an instrumented virtual machine environment |
US16/222,982 Active US10515210B2 (en) | 2014-07-14 | 2018-12-17 | Detection of malware using an instrumented virtual machine environment |
Country Status (1)
Country | Link |
---|---|
US (3) | US9489516B1 (en) |
Cited By (20)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20160164916A1 (en) * | 2014-12-03 | 2016-06-09 | Phantom Cyber Corporation | Automated responses to security threats |
US20160335110A1 (en) * | 2015-03-31 | 2016-11-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US20170344740A1 (en) * | 2015-03-31 | 2017-11-30 | Juniper Networks, Inc. | Configuring a sandbox environment for malware testing |
US10445502B1 (en) * | 2015-12-31 | 2019-10-15 | Fireeye, Inc. | Susceptible environment detection system |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10474813B1 (en) * | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US10496819B2 (en) * | 2016-05-20 | 2019-12-03 | AO Kaspersky Lab | System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans |
US20190370436A1 (en) * | 2018-05-31 | 2019-12-05 | Microsoft Technology Licensing, Llc | Memory assignment for guest operating systems |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10706149B1 (en) * | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10776482B2 (en) | 2018-05-18 | 2020-09-15 | International Business Machines Corporation | Automated virtual machine integrity checks |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10817606B1 (en) * | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10984104B2 (en) * | 2018-08-28 | 2021-04-20 | AlienVault, Inc. | Malware clustering based on analysis of execution-behavior reports |
US10990674B2 (en) | 2018-08-28 | 2021-04-27 | AlienVault, Inc. | Malware clustering based on function call graph similarity |
US11163879B2 (en) * | 2015-03-31 | 2021-11-02 | Juniper Networks, Inc. | Multi-file malware analysis |
US11263332B2 (en) * | 2018-07-31 | 2022-03-01 | International Business Machines Corporation | Methods to discourage unauthorized register access |
US11372975B2 (en) * | 2016-07-12 | 2022-06-28 | The Quantum Group, Inc. | Event detection and management system |
US11558402B2 (en) | 2019-10-28 | 2023-01-17 | Cisco Technology, Inc. | Virtual switch-based threat defense for networks with multiple virtual network functions |
Families Citing this family (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US9954875B2 (en) * | 2009-06-26 | 2018-04-24 | International Business Machines Corporation | Protecting from unintentional malware download |
US10257223B2 (en) * | 2015-12-21 | 2019-04-09 | Nagravision S.A. | Secured home network |
US9894085B1 (en) * | 2016-03-08 | 2018-02-13 | Symantec Corporation | Systems and methods for categorizing processes as malicious |
RU2649794C1 (en) * | 2017-04-28 | 2018-04-04 | Акционерное общество "Лаборатория Касперского" | System and method for log forming in virtual machine for anti-virus file checking |
US10469518B1 (en) * | 2017-07-26 | 2019-11-05 | EMC IP Holding Company LLC | Method and system for implementing cyber security as a service |
US10581897B1 (en) | 2017-07-26 | 2020-03-03 | EMC IP Holding Company LLC | Method and system for implementing threat intelligence as a service |
US10817603B2 (en) * | 2017-08-29 | 2020-10-27 | Target Brands, Inc. | Computer security system with malicious script document identification |
CN107766723A (en) * | 2017-11-22 | 2018-03-06 | 周燕红 | Suppress method, apparatus, equipment and the readable storage medium storing program for executing of malicious application installation |
US10949541B1 (en) * | 2018-08-29 | 2021-03-16 | NortonLifeLock, Inc. | Rating communicating entities based on the sharing of insecure content |
Citations (145)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5983348A (en) | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US20040030913A1 (en) | 2002-08-08 | 2004-02-12 | Trend Micro Incorporated | System and method for computer protection against malicious electronic mails by analyzing, profiling and trapping the same |
US20040107416A1 (en) | 2002-12-02 | 2004-06-03 | Microsoft Corporation | Patching of in-use functions on a running computer system |
US20050177602A1 (en) | 2001-10-16 | 2005-08-11 | Microsoft Corporation | Scoped metadata |
US20050283837A1 (en) | 2004-06-16 | 2005-12-22 | Michael Olivier | Method and apparatus for managing computer virus outbreaks |
US20060168024A1 (en) | 2004-12-13 | 2006-07-27 | Microsoft Corporation | Sender reputations for spam prevention |
US20070039053A1 (en) | 2005-08-03 | 2007-02-15 | Aladdin Knowledge Systems Ltd. | Security server in the cloud |
US20070050850A1 (en) | 2005-08-30 | 2007-03-01 | Fujitsu Limited | Control method, control program, and control system |
US20070106986A1 (en) | 2005-10-25 | 2007-05-10 | Worley William S Jr | Secure virtual-machine monitor |
US20070192857A1 (en) | 2006-02-16 | 2007-08-16 | Yuval Ben-Itzhak | System and method for enforcing a security context on a downloadable |
US20070261112A1 (en) | 2006-05-08 | 2007-11-08 | Electro Guard Corp. | Network Security Device |
US20080016552A1 (en) | 2006-07-12 | 2008-01-17 | Hart Matt E | Method and apparatus for improving security during web-browsing |
US20080127338A1 (en) | 2006-09-26 | 2008-05-29 | Korea Information Security Agency | System and method for preventing malicious code spread using web technology |
US20080155694A1 (en) | 2005-07-08 | 2008-06-26 | Kt Corporation | Malignant bot confrontation method and its system |
US20080177755A1 (en) | 2007-01-18 | 2008-07-24 | International Business Machines Corporation | Creation and persistence of action metadata |
US20080177994A1 (en) | 2003-01-12 | 2008-07-24 | Yaron Mayer | System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows |
US7409718B1 (en) | 2003-03-14 | 2008-08-05 | Ajou University Industry Cooperation Foundation | Method of decrypting and analyzing encrypted malicious scripts |
US20080209562A1 (en) | 2002-05-23 | 2008-08-28 | Symantec Corporation | Metamorphic Computer Virus Detection |
US20080229393A1 (en) | 2003-04-29 | 2008-09-18 | Congdon Paul T | Method and apparatus for access security services |
US20080256633A1 (en) | 2002-05-08 | 2008-10-16 | International Business Machines Corporation | Method and Apparatus for Determination of the Non-Replicative Behavior of a Malicious Program |
US20080263659A1 (en) | 2007-04-23 | 2008-10-23 | Christoph Alme | System and method for detecting malicious mobile program code |
US20080263658A1 (en) | 2007-04-17 | 2008-10-23 | Microsoft Corporation | Using antimalware technologies to perform offline scanning of virtual machine images |
US20080320594A1 (en) | 2007-03-19 | 2008-12-25 | Xuxian Jiang | Malware Detector |
US20090019547A1 (en) | 2003-12-12 | 2009-01-15 | International Business Machines Corporation | Method and computer program product for identifying or managing vulnerabilities within a data processing network |
US7496963B2 (en) | 2002-08-14 | 2009-02-24 | Messagelabs Limited | Method of, and system for, heuristically detecting viruses in executable code |
US20090055928A1 (en) | 2007-08-21 | 2009-02-26 | Kang Jung Min | Method and apparatus for providing phishing and pharming alerts |
US20090144826A2 (en) | 2005-06-30 | 2009-06-04 | Webroot Software, Inc. | Systems and Methods for Identifying Malware Distribution |
US20090150419A1 (en) | 2007-12-10 | 2009-06-11 | Won Ho Kim | Apparatus and method for removing malicious code inserted into file |
US7568233B1 (en) | 2005-04-01 | 2009-07-28 | Symantec Corporation | Detecting malicious software through process dump scanning |
US20090235357A1 (en) | 2008-03-14 | 2009-09-17 | Computer Associates Think, Inc. | Method and System for Generating a Malware Sequence File |
US20090241190A1 (en) | 2008-03-24 | 2009-09-24 | Michael Todd | System and method for securing a network from zero-day vulnerability exploits |
US7603713B1 (en) | 2009-03-30 | 2009-10-13 | Kaspersky Lab, Zao | Method for accelerating hardware emulator used for malware detection and analysis |
US20090282485A1 (en) | 2008-05-12 | 2009-11-12 | Bennett James D | Network browser based virus detection |
US20090288167A1 (en) | 2008-05-19 | 2009-11-19 | Authentium, Inc. | Secure virtualization system software |
US7649838B2 (en) | 2003-03-31 | 2010-01-19 | Adknowledge, Inc. | System and method for ranking the quality of internet traffic directed from one web site to another |
US20100037314A1 (en) | 2008-08-11 | 2010-02-11 | Perdisci Roberto | Method and system for detecting malicious and/or botnet-related domain names |
US7664855B1 (en) | 2004-05-05 | 2010-02-16 | Juniper Networks, Inc. | Port scanning mitigation within a network through establishment of an a prior network connection |
US20100043072A1 (en) | 2005-01-20 | 2010-02-18 | William Grant Rothwell | Computer protection against malware affection |
US20100107252A1 (en) | 2007-10-17 | 2010-04-29 | Sukarno Mertoguno | Cognizant engines: systems and methods for enabling program observability and controlability at instruction level granularity |
US20100115586A1 (en) | 2002-06-06 | 2010-05-06 | Raghavan Kartik N | Managing stored data on a computer network |
US20100154059A1 (en) | 2008-12-11 | 2010-06-17 | Kindsight | Network based malware detection and reporting |
US20100162350A1 (en) | 2008-12-24 | 2010-06-24 | Korea Information Security Agency | Security system of managing irc and http botnets, and method therefor |
US20100175132A1 (en) | 2009-01-05 | 2010-07-08 | Andrew Zawadowskiy | Attack-resistant verification of auto-generated anti-malware signatures |
US7779472B1 (en) | 2005-10-11 | 2010-08-17 | Trend Micro, Inc. | Application behavior based malware detection |
US7823202B1 (en) | 2007-03-21 | 2010-10-26 | Narus, Inc. | Method for detecting internet border gateway protocol prefix hijacking attacks |
US20100281458A1 (en) | 2009-04-30 | 2010-11-04 | Business Objects, S.A. | Application modification framework |
US7870610B1 (en) | 2007-03-16 | 2011-01-11 | The Board Of Directors Of The Leland Stanford Junior University | Detection of malicious programs |
US20110041179A1 (en) | 2009-08-11 | 2011-02-17 | F-Secure Oyj | Malware detection |
US20110055923A1 (en) | 2009-09-02 | 2011-03-03 | Thomas Ross G | Hierarchical statistical model of internet reputation |
US7930273B1 (en) * | 2007-07-30 | 2011-04-19 | Adobe Systems Incorporated | Version management for application execution environment |
US20110090911A1 (en) | 2009-10-21 | 2011-04-21 | Fang Hao | Method and apparatus for transparent cloud computing with a virtualized network infrastructure |
US20110099620A1 (en) | 2009-04-09 | 2011-04-28 | Angelos Stavrou | Malware Detector |
US7945908B1 (en) | 2006-03-31 | 2011-05-17 | Vmware, Inc. | Method and system for improving the accuracy of timing and process accounting within virtual machines |
US7958555B1 (en) | 2007-09-28 | 2011-06-07 | Trend Micro Incorporated | Protecting computer users from online frauds |
US20110161955A1 (en) | 2009-12-29 | 2011-06-30 | Woller Thomas R | Hypervisor isolation of processor cores |
US20110167495A1 (en) | 2010-01-06 | 2011-07-07 | Antonakakis Emmanouil | Method and system for detecting malware |
US20110173698A1 (en) | 2010-01-08 | 2011-07-14 | Microsoft Corporation | Mitigating false positives in malware detection |
US20110185425A1 (en) | 2010-01-22 | 2011-07-28 | National Taiwan University Of Science & Technology | Network attack detection devices and methods |
US20110271342A1 (en) | 2010-04-28 | 2011-11-03 | Electronics And Telecommunications Research Institute | Defense method and device against intelligent bots using masqueraded virtual machine information |
US20110296486A1 (en) | 2010-05-26 | 2011-12-01 | Lloyd Leon Burch | Dynamic service access |
US20110296412A1 (en) | 2010-05-28 | 2011-12-01 | Gaurav Banga | Approaches for securing an internet endpoint using fine-grained operating system virtualization |
US20120042381A1 (en) | 2010-08-10 | 2012-02-16 | Manos Antonakakis | Method and system for determining whether domain names are legitimate or malicious |
US20120054869A1 (en) | 2010-08-31 | 2012-03-01 | Chui-Tin Yen | Method and apparatus for detecting botnets |
US8141132B2 (en) | 2006-08-15 | 2012-03-20 | Symantec Corporation | Determining an invalid request |
US8151352B1 (en) | 2006-07-14 | 2012-04-03 | Bitdefender IPR Managament Ltd. | Anti-malware emulation systems and methods |
US20120084860A1 (en) | 2010-10-01 | 2012-04-05 | Alcatel-Lucent Usa Inc. | System and method for detection of domain-flux botnets and the like |
US20120089700A1 (en) | 2010-10-10 | 2012-04-12 | Contendo, Inc. | Proxy server configured for hierarchical caching and dynamic site acceleration and custom object and associated method |
US20120096549A1 (en) | 2010-10-13 | 2012-04-19 | International Business Machines Corporation | Adaptive cyber-security analytics |
US20120117650A1 (en) | 2010-11-10 | 2012-05-10 | Symantec Corporation | Ip-based blocking of malware |
US20120117652A1 (en) | 2009-09-30 | 2012-05-10 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
US8201246B1 (en) | 2008-02-25 | 2012-06-12 | Trend Micro Incorporated | Preventing malicious codes from performing malicious actions in a computer system |
US8209680B1 (en) | 2003-04-11 | 2012-06-26 | Vmware, Inc. | System and method for disk imaging on diverse computers |
US8225317B1 (en) | 2009-04-17 | 2012-07-17 | Symantec Corporation | Insertion and invocation of virtual appliance agents through exception handling regions of virtual machines |
US20120192274A1 (en) | 2006-08-10 | 2012-07-26 | Wayne Odom | System, Method, and Device for Storing and Delivering Data |
US8260914B1 (en) | 2010-06-22 | 2012-09-04 | Narus, Inc. | Detecting DNS fast-flux anomalies |
US20120233691A1 (en) | 2009-11-26 | 2012-09-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device and system for alerting against unknown malicious codes |
US20120240224A1 (en) | 2010-09-14 | 2012-09-20 | Georgia Tech Research Corporation | Security systems and methods for distinguishing user-intended traffic from malicious traffic |
WO2012134584A1 (en) | 2011-03-30 | 2012-10-04 | Intel Corporation | Method and apparatus for transparently instrumenting an application program |
US20120255031A1 (en) | 2011-03-28 | 2012-10-04 | Mcafee, Inc. | System and method for securing memory using below-operating system trapping |
US20120255018A1 (en) | 2011-03-31 | 2012-10-04 | Mcafee, Inc. | System and method for securing memory and storage of an electronic device with a below-operating system security agent |
US20120255019A1 (en) | 2011-03-29 | 2012-10-04 | Kindsight, Inc. | Method and system for operating system identification in a network based security monitoring solution |
US20120255021A1 (en) | 2011-03-31 | 2012-10-04 | Mcafee, Inc. | System and method for securing an input/output path of an application against malware with a below-operating system security agent |
US8291468B1 (en) | 2009-03-30 | 2012-10-16 | Juniper Networks, Inc. | Translating authorization information within computer networks |
US20120278889A1 (en) | 2009-11-20 | 2012-11-01 | El-Moussa Fadi J | Detecting malicious behaviour on a network |
US20120291042A1 (en) | 2010-12-21 | 2012-11-15 | Qualcomm Incorporated | Minimizing resource latency between processor application states in a portable computing device by scheduling resource set transitions |
US20120291131A1 (en) | 2011-05-09 | 2012-11-15 | F-Secure Corporation | Malware detection |
US8316440B1 (en) | 2007-10-30 | 2012-11-20 | Trend Micro, Inc. | System for detecting change of name-to-IP resolution |
US8321936B1 (en) | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
US8347100B1 (en) | 2010-07-14 | 2013-01-01 | F5 Networks, Inc. | Methods for DNSSEC proxying and deployment amelioration and systems thereof |
US20130014259A1 (en) | 2006-01-23 | 2013-01-10 | University Of Washington Through Its Center For Commercialization | Detection of spyware threats within virtual machine |
US8359651B1 (en) | 2008-05-15 | 2013-01-22 | Trend Micro Incorporated | Discovering malicious locations in a public computer network |
US8370938B1 (en) | 2009-04-25 | 2013-02-05 | Dasient, Inc. | Mitigating malware |
US20130047147A1 (en) | 2011-08-16 | 2013-02-21 | Campbell McNeill | Virtual Machine Asynchronous Patch Management |
US20130055394A1 (en) | 2011-08-24 | 2013-02-28 | Yolanta Beresnevichiene | Network security risk assessment |
US8402543B1 (en) | 2011-03-25 | 2013-03-19 | Narus, Inc. | Machine learning based botnet detection with dynamic adaptation |
US8407324B2 (en) | 2010-07-01 | 2013-03-26 | Raytheon Company | Dynamic modification of the address of a proxy |
US20130091350A1 (en) | 2011-10-07 | 2013-04-11 | Salesforce.Com, Inc. | Methods and systems for proxying data |
US20130091570A1 (en) | 2009-09-15 | 2013-04-11 | Symantec Corporation | Short-range mobile honeypot for sampling and tracking threats |
US20130104230A1 (en) | 2011-10-21 | 2013-04-25 | Mcafee, Inc. | System and Method for Detection of Denial of Service Attacks |
US8438639B2 (en) | 2009-10-22 | 2013-05-07 | Korea Internet & Security Agency | Apparatus for detecting and filtering application layer DDoS attack of web service |
WO2013067508A1 (en) | 2011-11-03 | 2013-05-10 | Cyphort, Inc. | Systems and methods for virtualized malware detection |
US8443363B1 (en) | 2008-05-30 | 2013-05-14 | Symantec Corporation | Coordinated virtualization activities |
US8443449B1 (en) | 2009-11-09 | 2013-05-14 | Trend Micro, Inc. | Silent detection of malware and feedback over a network |
US20130145002A1 (en) | 2011-12-01 | 2013-06-06 | International Business Machines Corporation | Enabling Co-Existence of Hosts or Virtual Machines with Identical Addresses |
US8464341B2 (en) | 2008-07-22 | 2013-06-11 | Microsoft Corporation | Detecting machines compromised with malware |
US20130152200A1 (en) * | 2011-12-09 | 2013-06-13 | Christoph Alme | Predictive Heap Overflow Protection |
US8484732B1 (en) | 2012-02-01 | 2013-07-09 | Trend Micro Incorporated | Protecting computers against virtual machine exploits |
US8484739B1 (en) | 2008-12-15 | 2013-07-09 | Symantec Corporation | Techniques for securely performing reputation based analysis using virtualization |
US8510827B1 (en) | 2006-05-18 | 2013-08-13 | Vmware, Inc. | Taint tracking mechanism for computer security |
US8516591B2 (en) | 2010-05-13 | 2013-08-20 | Salesforce.Com, Inc. | Security monitoring |
US8521667B2 (en) | 2010-12-15 | 2013-08-27 | Microsoft Corporation | Detection and categorization of malicious URLs |
US20130227165A1 (en) | 2012-02-28 | 2013-08-29 | Comcast Cable Communications, LLC. | Load Balancing and Session Persistence in Packet Networks |
US20130232574A1 (en) | 2012-03-02 | 2013-09-05 | Cox Communications, Inc. | Systems and Methods of DNS Grey Listing |
US8533842B1 (en) | 2008-03-07 | 2013-09-10 | Symantec Corporation | Method and apparatus for evaluating internet resources using a computer health metric |
WO2013134206A1 (en) | 2012-03-05 | 2013-09-12 | The Board Of Regents, The University Of Texas System | Automatically bridging the semantic gap in machine introspection |
US8539577B1 (en) | 2008-06-20 | 2013-09-17 | Verisign, Inc. | System and method for fast flux detection |
US20130246685A1 (en) | 2011-09-09 | 2013-09-19 | Mcafee, Inc. | System and method for passive threat detection using virtual memory inspection |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US8572740B2 (en) | 2009-10-01 | 2013-10-29 | Kaspersky Lab, Zao | Method and system for detection of previously unknown malware |
US8578481B2 (en) | 2006-10-16 | 2013-11-05 | Red Hat, Inc. | Method and system for determining a probability of entry of a counterfeit domain in a browser |
US20130298243A1 (en) | 2012-05-01 | 2013-11-07 | Taasera, Inc. | Systems and methods for orchestrating runtime operational integrity |
US20130298184A1 (en) | 2012-05-02 | 2013-11-07 | Cisco Technology, Inc. | System and method for monitoring application security in a network environment |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US20130326625A1 (en) | 2012-06-05 | 2013-12-05 | Los Alamos National Security, Llc | Integrating multiple data sources for malware classification |
US8631489B2 (en) | 2011-02-01 | 2014-01-14 | Damballa, Inc. | Method and system for detecting malicious domain names at an upper DNS hierarchy |
US8646088B2 (en) | 2011-01-03 | 2014-02-04 | International Business Machines Corporation | Runtime enforcement of security checks |
US8646071B2 (en) | 2006-08-07 | 2014-02-04 | Symantec Corporation | Method and system for validating site data |
US20140059641A1 (en) | 2012-08-22 | 2014-02-27 | International Business Machines Corporation | Automated feedback for proposed security rules |
US8677487B2 (en) | 2011-10-18 | 2014-03-18 | Mcafee, Inc. | System and method for detecting a malicious command and control channel |
US8683584B1 (en) | 2009-04-25 | 2014-03-25 | Dasient, Inc. | Risk assessment |
US20140096131A1 (en) | 2012-09-28 | 2014-04-03 | Adventium Enterprises | Virtual machine services |
US8707441B1 (en) | 2010-08-17 | 2014-04-22 | Symantec Corporation | Techniques for identifying optimized malicious search engine results |
US8763125B1 (en) | 2008-09-26 | 2014-06-24 | Trend Micro, Inc. | Disabling execution of malware having a self-defense mechanism |
US8826426B1 (en) | 2011-05-05 | 2014-09-02 | Symantec Corporation | Systems and methods for generating reputation-based ratings for uniform resource locators |
US8838570B1 (en) | 2006-11-06 | 2014-09-16 | Trend Micro Incorporated | Detection of bot-infected computers using a web browser |
US20140283037A1 (en) | 2013-03-15 | 2014-09-18 | Michael Sikorski | System and Method to Extract and Utilize Disassembly Features to Classify Software Intent |
US20140337836A1 (en) | 2013-05-10 | 2014-11-13 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US20140380474A1 (en) | 2013-06-24 | 2014-12-25 | Fireeye, Inc. | System and Method for Detecting Time-Bomb Malware |
US8966625B1 (en) | 2011-05-24 | 2015-02-24 | Palo Alto Networks, Inc. | Identification of malware sites using unknown URL sites and newly registered DNS addresses |
US20150058984A1 (en) | 2013-08-23 | 2015-02-26 | Nation Chiao Tung University | Computer-implemented method for distilling a malware program in a system |
US20150067862A1 (en) | 2013-08-30 | 2015-03-05 | Bank Of America Corporation | Malware analysis methods and systems |
US20150195299A1 (en) | 2014-01-07 | 2015-07-09 | Fair Isaac Corporation | Cyber security adaptive analytics threat monitoring system and method |
US9117079B1 (en) * | 2013-02-19 | 2015-08-25 | Trend Micro Inc. | Multiple application versions in a single virtual machine |
US9223962B1 (en) | 2012-07-03 | 2015-12-29 | Bromium, Inc. | Micro-virtual machine forensics and detection |
US9317680B2 (en) | 2010-10-20 | 2016-04-19 | Mcafee, Inc. | Method and system for protecting against unknown malicious activities by determining a reputation of a link |
Family Cites Families (68)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2003085526A1 (en) | 2002-04-03 | 2003-10-16 | Powerquest Corporation | Using disassociated images for computer and storage resource management |
US7013483B2 (en) | 2003-01-03 | 2006-03-14 | Aladdin Knowledge Systems Ltd. | Method for emulating an executable code in order to detect maliciousness |
US20050240756A1 (en) | 2003-01-12 | 2005-10-27 | Yaron Mayer | System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows. |
US7694328B2 (en) * | 2003-10-21 | 2010-04-06 | Google Inc. | Systems and methods for secure client applications |
US7475002B1 (en) | 2004-02-18 | 2009-01-06 | Vmware, Inc. | Method and apparatus for emulating multiple virtual timers in a virtual computer system when the virtual timers fall behind the real time of a physical computer system |
US7908653B2 (en) | 2004-06-29 | 2011-03-15 | Intel Corporation | Method of improving computer security through sandboxing |
US7979368B2 (en) | 2005-07-01 | 2011-07-12 | Crossbeam Systems, Inc. | Systems and methods for processing data flows |
US7647636B2 (en) * | 2005-08-24 | 2010-01-12 | Microsoft Corporation | Generic RootKit detector |
US20070079375A1 (en) | 2005-10-04 | 2007-04-05 | Drew Copley | Computer Behavioral Management Using Heuristic Analysis |
WO2007050244A2 (en) | 2005-10-27 | 2007-05-03 | Georgia Tech Research Corporation | Method and system for detecting and responding to attacking networks |
US8239608B1 (en) * | 2006-10-05 | 2012-08-07 | Vmware, Inc. | Secure computing environment |
US20090007100A1 (en) | 2007-06-28 | 2009-01-01 | Microsoft Corporation | Suspending a Running Operating System to Enable Security Scanning |
US8060074B2 (en) | 2007-07-30 | 2011-11-15 | Mobile Iron, Inc. | Virtual instance architecture for mobile device management systems |
CA2697632C (en) | 2007-08-06 | 2015-05-12 | Bernard De Monseignat | System and method for authentication, data transfer, and protection against phishing |
US7805379B1 (en) | 2007-12-18 | 2010-09-28 | Amazon Technologies, Inc. | Method and system for leasing or purchasing domain names |
US8239492B2 (en) | 2007-12-20 | 2012-08-07 | Pottenger William M | System for content-based peer-to-peer indexing of data on a networked storage device |
US8745731B2 (en) | 2008-04-03 | 2014-06-03 | Microsoft Corporation | Clustering botnet behavior using parameterized models |
US20090265786A1 (en) | 2008-04-17 | 2009-10-22 | Microsoft Corporation | Automatic botnet spam signature generation |
US8364664B2 (en) | 2008-05-12 | 2013-01-29 | Enpulz, L.L.C. | Web browser accessible search engine that identifies search result maxima through user search flow and result content comparison |
US9361089B2 (en) | 2008-07-22 | 2016-06-07 | International Business Machines Corporation | Secure patch updates of a virtual machine image in a virtualization data processing system |
US8763071B2 (en) | 2008-07-24 | 2014-06-24 | Zscaler, Inc. | Systems and methods for mobile application security classification and enforcement |
US8667583B2 (en) | 2008-09-22 | 2014-03-04 | Microsoft Corporation | Collecting and analyzing malware data |
US9235704B2 (en) | 2008-10-21 | 2016-01-12 | Lookout, Inc. | System and method for a scanning API |
US8336080B2 (en) | 2009-06-26 | 2012-12-18 | Symbol Technologies, Inc. | Methods and apparatus for rating device security and automatically assessing security compliance |
US20110208714A1 (en) | 2010-02-19 | 2011-08-25 | c/o Microsoft Corporation | Large scale search bot detection |
US8931088B2 (en) | 2010-03-26 | 2015-01-06 | Alcatel Lucent | Adaptive distinct counting for network-traffic monitoring and other applications |
US8495739B2 (en) | 2010-04-07 | 2013-07-23 | International Business Machines Corporation | System and method for ensuring scanning of files without caching the files to network device |
US9213838B2 (en) * | 2011-05-13 | 2015-12-15 | Mcafee Ireland Holdings Limited | Systems and methods of processing data associated with detection and/or handling of malware |
US8533337B2 (en) | 2010-05-06 | 2013-09-10 | Citrix Systems, Inc. | Continuous upgrading of computers in a load balanced environment |
US8495742B2 (en) | 2010-05-17 | 2013-07-23 | Microsoft Corporation | Identifying malicious queries |
AU2011293160B2 (en) | 2010-08-26 | 2015-04-09 | Verisign, Inc. | Method and system for automatic detection and analysis of malware |
US9119017B2 (en) | 2011-03-18 | 2015-08-25 | Zscaler, Inc. | Cloud based mobile device security and policy enforcement |
US8893124B2 (en) | 2011-03-31 | 2014-11-18 | Intel Corporation | Method, apparatus and system for limiting access to virtualization information in a memory |
US9071518B2 (en) | 2011-07-01 | 2015-06-30 | Fiberlink Communications Corporation | Rules based actions for mobile device management |
CN102339371B (en) * | 2011-09-14 | 2013-12-25 | 奇智软件(北京)有限公司 | Method, device and virtual machine for detecting rogue program |
WO2013055807A1 (en) * | 2011-10-10 | 2013-04-18 | Global Dataguard, Inc | Detecting emergent behavior in communications networks |
US9792430B2 (en) | 2011-11-03 | 2017-10-17 | Cyphort Inc. | Systems and methods for virtualized malware detection |
KR101295644B1 (en) | 2011-11-11 | 2013-09-16 | 한국전자통신연구원 | System and method for verifying smart phone application |
US20130160130A1 (en) * | 2011-12-20 | 2013-06-20 | Kirill Mendelev | Application security testing |
US8863288B1 (en) | 2011-12-30 | 2014-10-14 | Mantech Advanced Systems International, Inc. | Detecting malicious software |
US9063964B2 (en) | 2012-01-04 | 2015-06-23 | Trustgo Mobile, Inc. | Detecting application harmful behavior and grading application risks for mobile devices |
US9922190B2 (en) | 2012-01-25 | 2018-03-20 | Damballa, Inc. | Method and system for detecting DGA-based malware |
US8726386B1 (en) | 2012-03-16 | 2014-05-13 | Symantec Corporation | Systems and methods for detecting malware |
US8813240B1 (en) | 2012-05-30 | 2014-08-19 | Google Inc. | Defensive techniques to increase computer security |
US9330013B2 (en) * | 2012-06-28 | 2016-05-03 | Industrial Technology Research Institute | Method of cloning data in a memory for a virtual machine, product of computer programs and computer system therewith |
US9203862B1 (en) * | 2012-07-03 | 2015-12-01 | Bromium, Inc. | Centralized storage and management of malware manifests |
US8850581B2 (en) * | 2012-11-07 | 2014-09-30 | Microsoft Corporation | Identification of malware detection signature candidate code |
US9043923B2 (en) | 2012-12-27 | 2015-05-26 | Empire Technology Development Llc | Virtual machine monitor (VMM) extension for time shared accelerator management and side-channel vulnerability prevention |
US9165142B1 (en) * | 2013-01-30 | 2015-10-20 | Palo Alto Networks, Inc. | Malware family identification using profile signatures |
KR101739125B1 (en) | 2013-02-27 | 2017-05-24 | 한국전자통신연구원 | Apparatus and method for analysing a permission of application for mobile device and detecting risk |
US9626509B1 (en) * | 2013-03-13 | 2017-04-18 | Fireeye, Inc. | Malicious content analysis with multi-version application support within single operating environment |
US9152694B1 (en) | 2013-06-17 | 2015-10-06 | Appthority, Inc. | Automated classification of applications for mobile devices |
US9852290B1 (en) | 2013-07-12 | 2017-12-26 | The Boeing Company | Systems and methods of analyzing a software component |
US10019575B1 (en) * | 2013-07-30 | 2018-07-10 | Palo Alto Networks, Inc. | Evaluating malware in a virtual machine using copy-on-write |
US9680842B2 (en) | 2013-08-09 | 2017-06-13 | Verisign, Inc. | Detecting co-occurrence patterns in DNS |
US9245121B1 (en) | 2013-08-09 | 2016-01-26 | Narus, Inc. | Detecting suspicious network behaviors based on domain name service failures |
TWI501102B (en) | 2013-08-27 | 2015-09-21 | Inst Information Industry | Virtual time control apparatus, method, and computer program product thereof |
US9591003B2 (en) | 2013-08-28 | 2017-03-07 | Amazon Technologies, Inc. | Dynamic application security verification |
US10084817B2 (en) | 2013-09-11 | 2018-09-25 | NSS Labs, Inc. | Malware and exploit campaign detection system and method |
US9736179B2 (en) * | 2013-09-30 | 2017-08-15 | Fireeye, Inc. | System, apparatus and method for using malware analysis results to drive adaptive instrumentation of virtual machines to improve exploit detection |
US9516039B1 (en) | 2013-11-12 | 2016-12-06 | EMC IP Holding Company LLC | Behavioral detection of suspicious host activities in an enterprise |
US9049221B1 (en) | 2013-11-12 | 2015-06-02 | Emc Corporation | Detecting suspicious web traffic from an enterprise network |
US9436490B2 (en) | 2014-01-13 | 2016-09-06 | Cisco Technology, Inc. | Systems and methods for testing WAAS performance for virtual desktop applications |
US9294486B1 (en) | 2014-03-05 | 2016-03-22 | Sandia Corporation | Malware detection and analysis |
US9654484B2 (en) | 2014-07-31 | 2017-05-16 | Cisco Technology, Inc. | Detecting DGA-based malicious software using network flow information |
RU2595511C2 (en) | 2014-12-05 | 2016-08-27 | Закрытое акционерное общество "Лаборатория Касперского" | System and method of trusted applications operation in the presence of suspicious applications |
CN106295328B (en) * | 2015-05-20 | 2019-06-18 | 阿里巴巴集团控股有限公司 | File test method, apparatus and system |
US9699205B2 (en) | 2015-08-31 | 2017-07-04 | Splunk Inc. | Network security system |
-
2014
- 2014-07-14 US US14/331,113 patent/US9489516B1/en active Active
-
2016
- 2016-09-28 US US15/278,846 patent/US10204221B2/en active Active
-
2018
- 2018-12-17 US US16/222,982 patent/US10515210B2/en active Active
Patent Citations (156)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5983348A (en) | 1997-09-10 | 1999-11-09 | Trend Micro Incorporated | Computer network malicious code scanner |
US20050177602A1 (en) | 2001-10-16 | 2005-08-11 | Microsoft Corporation | Scoped metadata |
US20080256633A1 (en) | 2002-05-08 | 2008-10-16 | International Business Machines Corporation | Method and Apparatus for Determination of the Non-Replicative Behavior of a Malicious Program |
US20080209562A1 (en) | 2002-05-23 | 2008-08-28 | Symantec Corporation | Metamorphic Computer Virus Detection |
US20100115586A1 (en) | 2002-06-06 | 2010-05-06 | Raghavan Kartik N | Managing stored data on a computer network |
US20040030913A1 (en) | 2002-08-08 | 2004-02-12 | Trend Micro Incorporated | System and method for computer protection against malicious electronic mails by analyzing, profiling and trapping the same |
US7496963B2 (en) | 2002-08-14 | 2009-02-24 | Messagelabs Limited | Method of, and system for, heuristically detecting viruses in executable code |
US20040107416A1 (en) | 2002-12-02 | 2004-06-03 | Microsoft Corporation | Patching of in-use functions on a running computer system |
US20080177994A1 (en) | 2003-01-12 | 2008-07-24 | Yaron Mayer | System and method for improving the efficiency, comfort, and/or reliability in Operating Systems, such as for example Windows |
US7409718B1 (en) | 2003-03-14 | 2008-08-05 | Ajou University Industry Cooperation Foundation | Method of decrypting and analyzing encrypted malicious scripts |
US7649838B2 (en) | 2003-03-31 | 2010-01-19 | Adknowledge, Inc. | System and method for ranking the quality of internet traffic directed from one web site to another |
US8209680B1 (en) | 2003-04-11 | 2012-06-26 | Vmware, Inc. | System and method for disk imaging on diverse computers |
US20080229393A1 (en) | 2003-04-29 | 2008-09-18 | Congdon Paul T | Method and apparatus for access security services |
US20090019547A1 (en) | 2003-12-12 | 2009-01-15 | International Business Machines Corporation | Method and computer program product for identifying or managing vulnerabilities within a data processing network |
US8584239B2 (en) | 2004-04-01 | 2013-11-12 | Fireeye, Inc. | Virtual machine with dynamic data flow analysis |
US7664855B1 (en) | 2004-05-05 | 2010-02-16 | Juniper Networks, Inc. | Port scanning mitigation within a network through establishment of an a prior network connection |
US20050283837A1 (en) | 2004-06-16 | 2005-12-22 | Michael Olivier | Method and apparatus for managing computer virus outbreaks |
US20060168024A1 (en) | 2004-12-13 | 2006-07-27 | Microsoft Corporation | Sender reputations for spam prevention |
US20100043072A1 (en) | 2005-01-20 | 2010-02-18 | William Grant Rothwell | Computer protection against malware affection |
US7568233B1 (en) | 2005-04-01 | 2009-07-28 | Symantec Corporation | Detecting malicious software through process dump scanning |
US20090144826A2 (en) | 2005-06-30 | 2009-06-04 | Webroot Software, Inc. | Systems and Methods for Identifying Malware Distribution |
US20080155694A1 (en) | 2005-07-08 | 2008-06-26 | Kt Corporation | Malignant bot confrontation method and its system |
US20070039053A1 (en) | 2005-08-03 | 2007-02-15 | Aladdin Knowledge Systems Ltd. | Security server in the cloud |
US20070050850A1 (en) | 2005-08-30 | 2007-03-01 | Fujitsu Limited | Control method, control program, and control system |
US7779472B1 (en) | 2005-10-11 | 2010-08-17 | Trend Micro, Inc. | Application behavior based malware detection |
US20070106986A1 (en) | 2005-10-25 | 2007-05-10 | Worley William S Jr | Secure virtual-machine monitor |
US20130014259A1 (en) | 2006-01-23 | 2013-01-10 | University Of Washington Through Its Center For Commercialization | Detection of spyware threats within virtual machine |
US20070192857A1 (en) | 2006-02-16 | 2007-08-16 | Yuval Ben-Itzhak | System and method for enforcing a security context on a downloadable |
US7945908B1 (en) | 2006-03-31 | 2011-05-17 | Vmware, Inc. | Method and system for improving the accuracy of timing and process accounting within virtual machines |
US8566946B1 (en) | 2006-04-20 | 2013-10-22 | Fireeye, Inc. | Malware containment on connection |
US20070261112A1 (en) | 2006-05-08 | 2007-11-08 | Electro Guard Corp. | Network Security Device |
US8510827B1 (en) | 2006-05-18 | 2013-08-13 | Vmware, Inc. | Taint tracking mechanism for computer security |
US20080016552A1 (en) | 2006-07-12 | 2008-01-17 | Hart Matt E | Method and apparatus for improving security during web-browsing |
US8151352B1 (en) | 2006-07-14 | 2012-04-03 | Bitdefender IPR Managament Ltd. | Anti-malware emulation systems and methods |
US8646071B2 (en) | 2006-08-07 | 2014-02-04 | Symantec Corporation | Method and system for validating site data |
US20120192274A1 (en) | 2006-08-10 | 2012-07-26 | Wayne Odom | System, Method, and Device for Storing and Delivering Data |
US8141132B2 (en) | 2006-08-15 | 2012-03-20 | Symantec Corporation | Determining an invalid request |
US20080127338A1 (en) | 2006-09-26 | 2008-05-29 | Korea Information Security Agency | System and method for preventing malicious code spread using web technology |
US8578481B2 (en) | 2006-10-16 | 2013-11-05 | Red Hat, Inc. | Method and system for determining a probability of entry of a counterfeit domain in a browser |
US8838570B1 (en) | 2006-11-06 | 2014-09-16 | Trend Micro Incorporated | Detection of bot-infected computers using a web browser |
US20080177755A1 (en) | 2007-01-18 | 2008-07-24 | International Business Machines Corporation | Creation and persistence of action metadata |
US7870610B1 (en) | 2007-03-16 | 2011-01-11 | The Board Of Directors Of The Leland Stanford Junior University | Detection of malicious programs |
US20080320594A1 (en) | 2007-03-19 | 2008-12-25 | Xuxian Jiang | Malware Detector |
US7823202B1 (en) | 2007-03-21 | 2010-10-26 | Narus, Inc. | Method for detecting internet border gateway protocol prefix hijacking attacks |
US20080263658A1 (en) | 2007-04-17 | 2008-10-23 | Microsoft Corporation | Using antimalware technologies to perform offline scanning of virtual machine images |
US8011010B2 (en) | 2007-04-17 | 2011-08-30 | Microsoft Corporation | Using antimalware technologies to perform offline scanning of virtual machine images |
US20080263659A1 (en) | 2007-04-23 | 2008-10-23 | Christoph Alme | System and method for detecting malicious mobile program code |
US8321936B1 (en) | 2007-05-30 | 2012-11-27 | M86 Security, Inc. | System and method for malicious software detection in multiple protocols |
US7930273B1 (en) * | 2007-07-30 | 2011-04-19 | Adobe Systems Incorporated | Version management for application execution environment |
US20090055928A1 (en) | 2007-08-21 | 2009-02-26 | Kang Jung Min | Method and apparatus for providing phishing and pharming alerts |
US7958555B1 (en) | 2007-09-28 | 2011-06-07 | Trend Micro Incorporated | Protecting computer users from online frauds |
US20100107252A1 (en) | 2007-10-17 | 2010-04-29 | Sukarno Mertoguno | Cognizant engines: systems and methods for enabling program observability and controlability at instruction level granularity |
US8316440B1 (en) | 2007-10-30 | 2012-11-20 | Trend Micro, Inc. | System for detecting change of name-to-IP resolution |
US20090150419A1 (en) | 2007-12-10 | 2009-06-11 | Won Ho Kim | Apparatus and method for removing malicious code inserted into file |
US8201246B1 (en) | 2008-02-25 | 2012-06-12 | Trend Micro Incorporated | Preventing malicious codes from performing malicious actions in a computer system |
US8533842B1 (en) | 2008-03-07 | 2013-09-10 | Symantec Corporation | Method and apparatus for evaluating internet resources using a computer health metric |
US20090235357A1 (en) | 2008-03-14 | 2009-09-17 | Computer Associates Think, Inc. | Method and System for Generating a Malware Sequence File |
US20090241190A1 (en) | 2008-03-24 | 2009-09-24 | Michael Todd | System and method for securing a network from zero-day vulnerability exploits |
US20090282485A1 (en) | 2008-05-12 | 2009-11-12 | Bennett James D | Network browser based virus detection |
US8359651B1 (en) | 2008-05-15 | 2013-01-22 | Trend Micro Incorporated | Discovering malicious locations in a public computer network |
US20090288167A1 (en) | 2008-05-19 | 2009-11-19 | Authentium, Inc. | Secure virtualization system software |
US8443363B1 (en) | 2008-05-30 | 2013-05-14 | Symantec Corporation | Coordinated virtualization activities |
US8539577B1 (en) | 2008-06-20 | 2013-09-17 | Verisign, Inc. | System and method for fast flux detection |
US8464341B2 (en) | 2008-07-22 | 2013-06-11 | Microsoft Corporation | Detecting machines compromised with malware |
US20100037314A1 (en) | 2008-08-11 | 2010-02-11 | Perdisci Roberto | Method and system for detecting malicious and/or botnet-related domain names |
US8763125B1 (en) | 2008-09-26 | 2014-06-24 | Trend Micro, Inc. | Disabling execution of malware having a self-defense mechanism |
US20100154059A1 (en) | 2008-12-11 | 2010-06-17 | Kindsight | Network based malware detection and reporting |
US8484739B1 (en) | 2008-12-15 | 2013-07-09 | Symantec Corporation | Techniques for securely performing reputation based analysis using virtualization |
US20100162350A1 (en) | 2008-12-24 | 2010-06-24 | Korea Information Security Agency | Security system of managing irc and http botnets, and method therefor |
US20100175132A1 (en) | 2009-01-05 | 2010-07-08 | Andrew Zawadowskiy | Attack-resistant verification of auto-generated anti-malware signatures |
US7603713B1 (en) | 2009-03-30 | 2009-10-13 | Kaspersky Lab, Zao | Method for accelerating hardware emulator used for malware detection and analysis |
US8291468B1 (en) | 2009-03-30 | 2012-10-16 | Juniper Networks, Inc. | Translating authorization information within computer networks |
US20110099620A1 (en) | 2009-04-09 | 2011-04-28 | Angelos Stavrou | Malware Detector |
US8225317B1 (en) | 2009-04-17 | 2012-07-17 | Symantec Corporation | Insertion and invocation of virtual appliance agents through exception handling regions of virtual machines |
US8656491B1 (en) | 2009-04-25 | 2014-02-18 | Dasient, Inc. | Mitigating malware |
US8683584B1 (en) | 2009-04-25 | 2014-03-25 | Dasient, Inc. | Risk assessment |
US8370938B1 (en) | 2009-04-25 | 2013-02-05 | Dasient, Inc. | Mitigating malware |
US20100281458A1 (en) | 2009-04-30 | 2010-11-04 | Business Objects, S.A. | Application modification framework |
US20110041179A1 (en) | 2009-08-11 | 2011-02-17 | F-Secure Oyj | Malware detection |
US20110055923A1 (en) | 2009-09-02 | 2011-03-03 | Thomas Ross G | Hierarchical statistical model of internet reputation |
US20130091570A1 (en) | 2009-09-15 | 2013-04-11 | Symantec Corporation | Short-range mobile honeypot for sampling and tracking threats |
US20120117652A1 (en) | 2009-09-30 | 2012-05-10 | Jayaraman Manni | Network-Based Binary File Extraction and Analysis for Malware Detection |
US8572740B2 (en) | 2009-10-01 | 2013-10-29 | Kaspersky Lab, Zao | Method and system for detection of previously unknown malware |
US20110090911A1 (en) | 2009-10-21 | 2011-04-21 | Fang Hao | Method and apparatus for transparent cloud computing with a virtualized network infrastructure |
US8438639B2 (en) | 2009-10-22 | 2013-05-07 | Korea Internet & Security Agency | Apparatus for detecting and filtering application layer DDoS attack of web service |
US8443449B1 (en) | 2009-11-09 | 2013-05-14 | Trend Micro, Inc. | Silent detection of malware and feedback over a network |
US20120278889A1 (en) | 2009-11-20 | 2012-11-01 | El-Moussa Fadi J | Detecting malicious behaviour on a network |
US9003526B2 (en) | 2009-11-20 | 2015-04-07 | British Telecommunications Public Limited Company | Detecting malicious behaviour on a network |
US20120233691A1 (en) | 2009-11-26 | 2012-09-13 | Chengdu Huawei Symantec Technologies Co., Ltd. | Method, device and system for alerting against unknown malicious codes |
US20110161955A1 (en) | 2009-12-29 | 2011-06-30 | Woller Thomas R | Hypervisor isolation of processor cores |
US20110167495A1 (en) | 2010-01-06 | 2011-07-07 | Antonakakis Emmanouil | Method and system for detecting malware |
US20110173698A1 (en) | 2010-01-08 | 2011-07-14 | Microsoft Corporation | Mitigating false positives in malware detection |
US20110185425A1 (en) | 2010-01-22 | 2011-07-28 | National Taiwan University Of Science & Technology | Network attack detection devices and methods |
US20110271342A1 (en) | 2010-04-28 | 2011-11-03 | Electronics And Telecommunications Research Institute | Defense method and device against intelligent bots using masqueraded virtual machine information |
US8516591B2 (en) | 2010-05-13 | 2013-08-20 | Salesforce.Com, Inc. | Security monitoring |
US20110296486A1 (en) | 2010-05-26 | 2011-12-01 | Lloyd Leon Burch | Dynamic service access |
US20110296412A1 (en) | 2010-05-28 | 2011-12-01 | Gaurav Banga | Approaches for securing an internet endpoint using fine-grained operating system virtualization |
US8260914B1 (en) | 2010-06-22 | 2012-09-04 | Narus, Inc. | Detecting DNS fast-flux anomalies |
US8407324B2 (en) | 2010-07-01 | 2013-03-26 | Raytheon Company | Dynamic modification of the address of a proxy |
US8347100B1 (en) | 2010-07-14 | 2013-01-01 | F5 Networks, Inc. | Methods for DNSSEC proxying and deployment amelioration and systems thereof |
US20120042381A1 (en) | 2010-08-10 | 2012-02-16 | Manos Antonakakis | Method and system for determining whether domain names are legitimate or malicious |
US8707441B1 (en) | 2010-08-17 | 2014-04-22 | Symantec Corporation | Techniques for identifying optimized malicious search engine results |
US20120054869A1 (en) | 2010-08-31 | 2012-03-01 | Chui-Tin Yen | Method and apparatus for detecting botnets |
US20120240224A1 (en) | 2010-09-14 | 2012-09-20 | Georgia Tech Research Corporation | Security systems and methods for distinguishing user-intended traffic from malicious traffic |
US20120084860A1 (en) | 2010-10-01 | 2012-04-05 | Alcatel-Lucent Usa Inc. | System and method for detection of domain-flux botnets and the like |
US20120089700A1 (en) | 2010-10-10 | 2012-04-12 | Contendo, Inc. | Proxy server configured for hierarchical caching and dynamic site acceleration and custom object and associated method |
US20120096549A1 (en) | 2010-10-13 | 2012-04-19 | International Business Machines Corporation | Adaptive cyber-security analytics |
US9317680B2 (en) | 2010-10-20 | 2016-04-19 | Mcafee, Inc. | Method and system for protecting against unknown malicious activities by determining a reputation of a link |
US8756691B2 (en) | 2010-11-10 | 2014-06-17 | Symantec Corporation | IP-based blocking of malware |
US20120117650A1 (en) | 2010-11-10 | 2012-05-10 | Symantec Corporation | Ip-based blocking of malware |
US8521667B2 (en) | 2010-12-15 | 2013-08-27 | Microsoft Corporation | Detection and categorization of malicious URLs |
US20120291042A1 (en) | 2010-12-21 | 2012-11-15 | Qualcomm Incorporated | Minimizing resource latency between processor application states in a portable computing device by scheduling resource set transitions |
US8646088B2 (en) | 2011-01-03 | 2014-02-04 | International Business Machines Corporation | Runtime enforcement of security checks |
US8631489B2 (en) | 2011-02-01 | 2014-01-14 | Damballa, Inc. | Method and system for detecting malicious domain names at an upper DNS hierarchy |
US8402543B1 (en) | 2011-03-25 | 2013-03-19 | Narus, Inc. | Machine learning based botnet detection with dynamic adaptation |
US20120255031A1 (en) | 2011-03-28 | 2012-10-04 | Mcafee, Inc. | System and method for securing memory using below-operating system trapping |
US20120255019A1 (en) | 2011-03-29 | 2012-10-04 | Kindsight, Inc. | Method and system for operating system identification in a network based security monitoring solution |
WO2012134584A1 (en) | 2011-03-30 | 2012-10-04 | Intel Corporation | Method and apparatus for transparently instrumenting an application program |
US8479295B2 (en) | 2011-03-30 | 2013-07-02 | Intel Corporation | Method and apparatus for transparently instrumenting an application program |
US20120255018A1 (en) | 2011-03-31 | 2012-10-04 | Mcafee, Inc. | System and method for securing memory and storage of an electronic device with a below-operating system security agent |
US20120255021A1 (en) | 2011-03-31 | 2012-10-04 | Mcafee, Inc. | System and method for securing an input/output path of an application against malware with a below-operating system security agent |
US8826426B1 (en) | 2011-05-05 | 2014-09-02 | Symantec Corporation | Systems and methods for generating reputation-based ratings for uniform resource locators |
US20120291131A1 (en) | 2011-05-09 | 2012-11-15 | F-Secure Corporation | Malware detection |
US8966625B1 (en) | 2011-05-24 | 2015-02-24 | Palo Alto Networks, Inc. | Identification of malware sites using unknown URL sites and newly registered DNS addresses |
US20130047147A1 (en) | 2011-08-16 | 2013-02-21 | Campbell McNeill | Virtual Machine Asynchronous Patch Management |
US20130055394A1 (en) | 2011-08-24 | 2013-02-28 | Yolanta Beresnevichiene | Network security risk assessment |
US20130246685A1 (en) | 2011-09-09 | 2013-09-19 | Mcafee, Inc. | System and method for passive threat detection using virtual memory inspection |
US20130091350A1 (en) | 2011-10-07 | 2013-04-11 | Salesforce.Com, Inc. | Methods and systems for proxying data |
US8677487B2 (en) | 2011-10-18 | 2014-03-18 | Mcafee, Inc. | System and method for detecting a malicious command and control channel |
US20130104230A1 (en) | 2011-10-21 | 2013-04-25 | Mcafee, Inc. | System and Method for Detection of Denial of Service Attacks |
WO2013067505A1 (en) | 2011-11-03 | 2013-05-10 | Cyphort, Inc. | Systems and methods for virtualization and emulation assisted malware detection |
WO2013067508A1 (en) | 2011-11-03 | 2013-05-10 | Cyphort, Inc. | Systems and methods for virtualized malware detection |
US20130145008A1 (en) | 2011-12-01 | 2013-06-06 | International Business Machines Corporation | Enabling Co-Existence of Hosts or Virtual Machines with Identical Addresses |
US20130145002A1 (en) | 2011-12-01 | 2013-06-06 | International Business Machines Corporation | Enabling Co-Existence of Hosts or Virtual Machines with Identical Addresses |
US20130152200A1 (en) * | 2011-12-09 | 2013-06-13 | Christoph Alme | Predictive Heap Overflow Protection |
US8484732B1 (en) | 2012-02-01 | 2013-07-09 | Trend Micro Incorporated | Protecting computers against virtual machine exploits |
US20130227165A1 (en) | 2012-02-28 | 2013-08-29 | Comcast Cable Communications, LLC. | Load Balancing and Session Persistence in Packet Networks |
US20130232574A1 (en) | 2012-03-02 | 2013-09-05 | Cox Communications, Inc. | Systems and Methods of DNS Grey Listing |
WO2013134206A1 (en) | 2012-03-05 | 2013-09-12 | The Board Of Regents, The University Of Texas System | Automatically bridging the semantic gap in machine introspection |
US20130298244A1 (en) | 2012-05-01 | 2013-11-07 | Taasera, Inc. | Systems and methods for threat identification and remediation |
US20130298242A1 (en) | 2012-05-01 | 2013-11-07 | Taasera, Inc. | Systems and methods for providing mobile security based on dynamic attestation |
US20130298192A1 (en) | 2012-05-01 | 2013-11-07 | Taasera, Inc. | Systems and methods for using reputation scores in network services and transactions to calculate security risks to computer systems and platforms |
US20130298243A1 (en) | 2012-05-01 | 2013-11-07 | Taasera, Inc. | Systems and methods for orchestrating runtime operational integrity |
US20130298230A1 (en) | 2012-05-01 | 2013-11-07 | Taasera, Inc. | Systems and methods for network flow remediation based on risk correlation |
US20130298184A1 (en) | 2012-05-02 | 2013-11-07 | Cisco Technology, Inc. | System and method for monitoring application security in a network environment |
US20130326625A1 (en) | 2012-06-05 | 2013-12-05 | Los Alamos National Security, Llc | Integrating multiple data sources for malware classification |
US9223962B1 (en) | 2012-07-03 | 2015-12-29 | Bromium, Inc. | Micro-virtual machine forensics and detection |
US20140059641A1 (en) | 2012-08-22 | 2014-02-27 | International Business Machines Corporation | Automated feedback for proposed security rules |
US20140096131A1 (en) | 2012-09-28 | 2014-04-03 | Adventium Enterprises | Virtual machine services |
US9117079B1 (en) * | 2013-02-19 | 2015-08-25 | Trend Micro Inc. | Multiple application versions in a single virtual machine |
US20140283037A1 (en) | 2013-03-15 | 2014-09-18 | Michael Sikorski | System and Method to Extract and Utilize Disassembly Features to Classify Software Intent |
US20140337836A1 (en) | 2013-05-10 | 2014-11-13 | Fireeye, Inc. | Optimized resource allocation for virtual machines within a malware content detection system |
US20140380474A1 (en) | 2013-06-24 | 2014-12-25 | Fireeye, Inc. | System and Method for Detecting Time-Bomb Malware |
US20150058984A1 (en) | 2013-08-23 | 2015-02-26 | Nation Chiao Tung University | Computer-implemented method for distilling a malware program in a system |
US20150067862A1 (en) | 2013-08-30 | 2015-03-05 | Bank Of America Corporation | Malware analysis methods and systems |
US20150195299A1 (en) | 2014-01-07 | 2015-07-09 | Fair Isaac Corporation | Cyber security adaptive analytics threat monitoring system and method |
Non-Patent Citations (51)
Title |
---|
Abu Rajab et al., "A Multifaceted Approach to Understanding the Botnet Phenonmenon," Proceedings of the 6th ACM SIGCOMM conference on Internet measurement, 2006, 12 pages. |
Author Unknown, "FireEye Malware Analysis", FireEye.com, FireEye, Inc., 2010. |
Author Unknown, "Hybrid Sandboxing for Detecting and Analyzing Advanced and Unknown Malware", Blue Coat Systems, Inc., 2014. |
Author Unknown, "Multi-Vector Virtual Execution (MVX) Engine", FireEye, Inc., http://www.fireeye.com/products-and-solutions/virtual-execution-engine.html, 2014. |
Author Unknown, A Day in the Life of a BotArmy, Damballa, 2008. |
Author Unknown, Advanced Persistent Threats (APT), What's an APT? A Brief Definition, Damballa, Dec. 14, 2010. |
Author Unknown, Anatomy of a Targeted Attack, Damballa, Dec. 3, 2008. |
Author Unknown, AV, IDS/IPS and Damballa's Response to Targeted Attacks, A Technology Comparison, Damballa, Nov. 2008. |
Author Unknown, Closed Window, How Failsafe Enhancements Dramatically Limit Opportunities for Malware Armies and other Targeted Attacks, Damballa, Sep. 23, 2009. |
Author Unknown, Damballa: A Different Approach, Targeted Attacks Requires a New Solution, Damballa, Sep. 23, 2008. |
Author Unknown, Damballa's In-The-Cloud Security Model, Enterprise Protection Moves Beyond the Network Perimeter, Damballa, Aug. 24, 2008. |
Author Unknown, Executive Overview, The Command Structure of the Aurora Botnet, Damballa, Mar. 2010. |
Author Unknown, How to Be a Hero in the War Against BotArmies, Damballa, 2008. |
Author Unknown, Layer 8, How and Why Targeted Attacks Exploit Your Users, Damballa, Nov. 2011. |
Author Unknown, Targeted Attacks for Fun and Profit, An Executed Guide to a New and Growing Enterprise Threat, Damballa, Oct. 13, 2008. |
Author Unknown, Trust Betrayed, What to Do When a Targeted Attack Turns Your Networks Against You, Damballa, Feb. 22, 2008. |
Author Unknown, Updated on the Enemy, A Deconstruction of Who Profits From Botnets, Damballa, May 13, 2009. |
Binkley, James R. et al., An Algorithm for Anomaly-based Botnet Detection, Jul. 2006. |
Chen et al., "Chapter 4: Guarding Against Network Intrusions," Network and System Security, Elsevier Inc., 2009, 5 pages. |
Davidoff et al., "Chapter 12: Malware Forensics", Network Forensics: Tracking Hackers Through Cyberspace, Pearson Education Inc., Jun. 2012, 60 pages. |
Dittrich et al., P2P as Botnet Command and Control; A Deeper Insight, 2008 3rd International Conference on Malicious and Unwanted Software (MALWARE), Oct. 2008, IEEE, vol. 10, pp. 41-48. |
Giroire, Frederic et al., Exploiting Temporal Persistence to Detect Convert Botnet Channels, Sep. 2009. |
Goebel, Jan et al., Rishi: Identify Bot Contaminated Hosts by IRC Nickname Evaluation, Apr. 2007. |
Gu, Guofei et al., BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation, Aug. 2007. |
Gu, Guofei et al., BotMiner: Clustering Analysis of Network Traffic for Protocol- and Structure-Independent Botnet Detection, Jul. 2008. |
Gu, Guofei et al., BotSniffer: Detecting Botnet Command and Control Channels in Network Traffic, Feb. 2008. |
Karasaridis, Anestis et al., Wide-scale Botnet Detection and Characterization, Dec. 14, 2010. |
Landecki, Grzegorz, Detecting Botnets, Linux Journal, Jan. 1, 2009. |
Lau et al., "Measuring Virtual Machine Detection in Malware using DSD Tracer", Sophoslabs, Journal in Computer Virology, 2008. |
Ligh et al., "Chapter 5: Researching Domains and IP Addresses," Malware Analyst's Cookbook, John Wiley & Sons, 2011, 38 pages. |
Lindorfer et al., "Detecting Enviroment-Sensitive Malware", Recent Advances in Intrusion Detection. Springer Berlin Heidelberg, 2011. |
Livadas, Carl et al., Using Machine Learning Techniques to Identify Botnet Traffic, BBN Technologies, Nov. 2006. |
Nazario et al., As the Net Churns: Fast-Flux Botnet Observations, IEEE, pp. 24-31, Sep. 5, 2008. |
Ollmann, Gunter, Botnet Communication Topologies, Understanding the Intricacies of Bonet Command and Control, Damballa, Jun. 2009. |
Ollmann, Gunter, Extracting CnC from Malware, The Role of malware Sample Analysis in Botnet Detection, Damballa, Dec. 8, 2009. |
Ollmann, Gunter, Serial Variant Evasion Tactics, Techniques Used to Automatically Bypass Antivirus Technologies, Damballa, Oct. 7, 2009. |
Ollmann, Gunter, The Botnet vs. Malware Relationship, The One to one Botnet Myth, Damballa, Jun. 2009. |
Ollmann, Gunter, The Opt-IN Botnet Generation, Hacktivism and Centrally Controlled Protesting, Social Networks, Damballa, Apr. 26, 2010. |
Ramachandran, Anirudh et al., Revealing Botnet Membership Using DNSBL Counter-Intelligence, Jul. 7, 2006. |
Royal, Paul, Analysis of the Kraken Botnet, Damballa, Apr. 9, 2008. |
Russ White, "High Availability in Routing", Mar. 2004, Cisco Systems, vol. 7, Issue 1, pp. 2-14. |
Schechter et al., "Fast Detection of Scanning Worm Infections," Recent Advances in Intrusion Detection: 7th International Symposium RAID 2004 Proceedings, 2004, 24 pages. |
Sikorski et al., "Chapter 14: Malware-Focused Network Signatures," Practical Malware Anlaysis, No Starch Press, Feb. 2012, 13 pages. |
Singh et al., "Hot Knives Through Butter: Evading File-based Sandboxes", FireEye, Inc., Feb. 2014. |
Strayer, W. Timothy et al. Detecting Botnets with Tight Command and Control, BBN Technologies, Nov. 2006. |
Sun et al. "Malware Virtualization-resistant behavior detection", 2011 IEEE, pp. 912-917. |
van der Heide et al., "DNS Anomaly Detection," System and Network Engineering Research Group, University of Amsterdam, Feb. 6, 2011, 20 pages. |
Wagener et al., "An Instrumented Analysis of Unknown Software and Malware Driven by Free Libre Open Source Software", Signal Image Technology and Internet Based Systems, 2008. SITIS'08. IEEE International Conference on. IEEE, 2008. |
Yadav et al., "Detecting Algorithmically Generated Malicious Domain Names", Nov. 2010. |
Yen, Ting-Fang et al., Traffic Aggregation for Malware Detection, Jul. 2008. |
Zang et al., "Botnet Detection Through Fine Flow Classifcation", CSE Dept. Technical Report No. CSE11-001, p. 1-17, Jan. 31, 2011. |
Cited By (61)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10425441B2 (en) | 2014-12-03 | 2019-09-24 | Splunk Inc. | Translating security actions to action procedures in an advisement system |
US9888029B2 (en) | 2014-12-03 | 2018-02-06 | Phantom Cyber Corporation | Classifying kill-chains for security incidents |
US11895143B2 (en) | 2014-12-03 | 2024-02-06 | Splunk Inc. | Providing action recommendations based on action effectiveness across information technology environments |
US9712555B2 (en) * | 2014-12-03 | 2017-07-18 | Phantom Cyber Corporation | Automated responses to security threats |
US10855718B2 (en) | 2014-12-03 | 2020-12-01 | Splunk Inc. | Management of actions in a computing environment based on asset classification |
US11870802B1 (en) | 2014-12-03 | 2024-01-09 | Splunk Inc. | Identifying automated responses to security threats based on communication interactions content |
US9871818B2 (en) | 2014-12-03 | 2018-01-16 | Phantom Cyber Corporation | Managing workflows upon a security incident |
US11757925B2 (en) | 2014-12-03 | 2023-09-12 | Splunk Inc. | Managing security actions in a computing environment based on information gathering activity of a security threat |
US9954888B2 (en) | 2014-12-03 | 2018-04-24 | Phantom Cyber Corporation | Security actions for computing assets based on enrichment information |
US10476905B2 (en) | 2014-12-03 | 2019-11-12 | Splunk Inc. | Security actions for computing assets based on enrichment information |
US10116687B2 (en) | 2014-12-03 | 2018-10-30 | Splunk Inc. | Management of administrative incident response based on environmental characteristics associated with a security incident |
US10158663B2 (en) | 2014-12-03 | 2018-12-18 | Splunk Inc. | Incident response using asset configuration data |
US10193920B2 (en) | 2014-12-03 | 2019-01-29 | Splunk Inc. | Managing security actions in a computing environment based on communication activity of a security threat |
US11805148B2 (en) | 2014-12-03 | 2023-10-31 | Splunk Inc. | Modifying incident response time periods based on incident volume |
US11765198B2 (en) | 2014-12-03 | 2023-09-19 | Splunk Inc. | Selecting actions responsive to computing environment incidents based on severity rating |
US10425440B2 (en) | 2014-12-03 | 2019-09-24 | Splunk Inc. | Implementing security actions in an advisement system based on obtained software characteristics |
US9762607B2 (en) | 2014-12-03 | 2017-09-12 | Phantom Cyber Corporation | Incident response automation engine |
US20160164908A1 (en) * | 2014-12-03 | 2016-06-09 | Phantom Cyber Corporation | Containment of security threats within a computing environment |
US10063587B2 (en) | 2014-12-03 | 2018-08-28 | Splunk Inc. | Management of security actions based on computing asset classification |
US11677780B2 (en) | 2014-12-03 | 2023-06-13 | Splunk Inc. | Identifying automated response actions based on asset classification |
US11658998B2 (en) | 2014-12-03 | 2023-05-23 | Splunk Inc. | Translating security actions into computing asset-specific action procedures |
US11647043B2 (en) | 2014-12-03 | 2023-05-09 | Splunk Inc. | Identifying security actions based on computing asset relationship data |
US11323472B2 (en) | 2014-12-03 | 2022-05-03 | Splunk Inc. | Identifying automated responses to security threats based on obtained communication interactions |
US10554687B1 (en) | 2014-12-03 | 2020-02-04 | Splunk Inc. | Incident response management based on environmental characteristics |
US10567424B2 (en) | 2014-12-03 | 2020-02-18 | Splunk Inc. | Determining security actions for security threats using enrichment information |
US20160164916A1 (en) * | 2014-12-03 | 2016-06-09 | Phantom Cyber Corporation | Automated responses to security threats |
US10616264B1 (en) | 2014-12-03 | 2020-04-07 | Splunk Inc. | Incident response management based on asset configurations in a computing environment |
US11190539B2 (en) | 2014-12-03 | 2021-11-30 | Splunk Inc. | Modifying incident response time periods based on containment action effectiveness |
US11165812B2 (en) * | 2014-12-03 | 2021-11-02 | Splunk Inc. | Containment of security threats within a computing environment |
US11025664B2 (en) | 2014-12-03 | 2021-06-01 | Splunk Inc. | Identifying security actions for responding to security threats based on threat state information |
US11019093B2 (en) | 2014-12-03 | 2021-05-25 | Splunk Inc. | Graphical interface for incident response automation |
US11019092B2 (en) | 2014-12-03 | 2021-05-25 | Splunk. Inc. | Learning based security threat containment |
US10986120B2 (en) | 2014-12-03 | 2021-04-20 | Splunk Inc. | Selecting actions responsive to computing environment incidents based on action impact information |
US10834120B2 (en) | 2014-12-03 | 2020-11-10 | Splunk Inc. | Identifying related communication interactions to a security threat in a computing environment |
US11294705B1 (en) * | 2015-03-31 | 2022-04-05 | Fireeye Security Holdings Us Llc | Selective virtualization for security threat detection |
US11163879B2 (en) * | 2015-03-31 | 2021-11-02 | Juniper Networks, Inc. | Multi-file malware analysis |
US20160335110A1 (en) * | 2015-03-31 | 2016-11-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US11868795B1 (en) * | 2015-03-31 | 2024-01-09 | Musarubra Us Llc | Selective virtualization for security threat detection |
US20170344740A1 (en) * | 2015-03-31 | 2017-11-30 | Juniper Networks, Inc. | Configuring a sandbox environment for malware testing |
US10474813B1 (en) * | 2015-03-31 | 2019-11-12 | Fireeye, Inc. | Code injection technique for remediation at an endpoint of a network |
US10417031B2 (en) * | 2015-03-31 | 2019-09-17 | Fireeye, Inc. | Selective virtualization for security threat detection |
US10380337B2 (en) * | 2015-03-31 | 2019-08-13 | Juniper Networks, Inc. | Configuring a sandbox environment for malware testing |
US10817606B1 (en) * | 2015-09-30 | 2020-10-27 | Fireeye, Inc. | Detecting delayed activation malware using a run-time monitoring agent and time-dilation logic |
US10706149B1 (en) * | 2015-09-30 | 2020-07-07 | Fireeye, Inc. | Detecting delayed activation malware using a primary controller and plural time controllers |
US10445502B1 (en) * | 2015-12-31 | 2019-10-15 | Fireeye, Inc. | Susceptible environment detection system |
US10671721B1 (en) | 2016-03-25 | 2020-06-02 | Fireeye, Inc. | Timeout management services |
US10601863B1 (en) | 2016-03-25 | 2020-03-24 | Fireeye, Inc. | System and method for managing sensor enrollment |
US10785255B1 (en) | 2016-03-25 | 2020-09-22 | Fireeye, Inc. | Cluster configuration within a scalable malware detection system |
US10476906B1 (en) | 2016-03-25 | 2019-11-12 | Fireeye, Inc. | System and method for managing formation and modification of a cluster within a malware detection system |
US10496819B2 (en) * | 2016-05-20 | 2019-12-03 | AO Kaspersky Lab | System and method of distributing files between virtual machines forming a distributed system for performing antivirus scans |
US11372975B2 (en) * | 2016-07-12 | 2022-06-28 | The Quantum Group, Inc. | Event detection and management system |
US10776482B2 (en) | 2018-05-18 | 2020-09-15 | International Business Machines Corporation | Automated virtual machine integrity checks |
US20190370436A1 (en) * | 2018-05-31 | 2019-12-05 | Microsoft Technology Licensing, Llc | Memory assignment for guest operating systems |
US10795974B2 (en) * | 2018-05-31 | 2020-10-06 | Microsoft Technology Licensing, Llc | Memory assignment for guest operating systems |
US11263332B2 (en) * | 2018-07-31 | 2022-03-01 | International Business Machines Corporation | Methods to discourage unauthorized register access |
US11586735B2 (en) * | 2018-08-28 | 2023-02-21 | AlienVault, Inc. | Malware clustering based on analysis of execution-behavior reports |
US11693962B2 (en) | 2018-08-28 | 2023-07-04 | AlienVault, Inc. | Malware clustering based on function call graph similarity |
US20210240829A1 (en) * | 2018-08-28 | 2021-08-05 | AlienVault, Inc. | Malware Clustering Based on Analysis of Execution-Behavior Reports |
US10990674B2 (en) | 2018-08-28 | 2021-04-27 | AlienVault, Inc. | Malware clustering based on function call graph similarity |
US10984104B2 (en) * | 2018-08-28 | 2021-04-20 | AlienVault, Inc. | Malware clustering based on analysis of execution-behavior reports |
US11558402B2 (en) | 2019-10-28 | 2023-01-17 | Cisco Technology, Inc. | Virtual switch-based threat defense for networks with multiple virtual network functions |
Also Published As
Publication number | Publication date |
---|---|
US10204221B2 (en) | 2019-02-12 |
US20190138714A1 (en) | 2019-05-09 |
US10515210B2 (en) | 2019-12-24 |
US20170068815A1 (en) | 2017-03-09 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10515210B2 (en) | Detection of malware using an instrumented virtual machine environment | |
US10803168B2 (en) | Rendering an object using multiple versions of an application in a single process for dynamic malware analysis | |
US9996695B2 (en) | Dynamic malware analysis of a URL using a browser executed in an instrumented virtual machine environment | |
US10404661B2 (en) | Integrating a honey network with a target network to counter IP and peer-checking evasion techniques | |
US10992704B2 (en) | Dynamic selection and generation of a virtual clone for detonation of suspicious content within a honey network | |
US10230689B2 (en) | Bridging a virtual clone of a target device in a honey network to a suspicious device in an enterprise network | |
US10706145B2 (en) | Runtime detection of vulnerabilities in software containers | |
US10015198B2 (en) | Synchronizing a honey network configuration to reflect a target network environment | |
US10216931B2 (en) | Detecting an attempt to exploit a memory allocation vulnerability | |
US9548990B2 (en) | Detecting a heap spray attack | |
US11861008B2 (en) | Using browser context in evasive web-based malware detection | |
US10505975B2 (en) | Automatic repair of corrupt files for a detonation engine | |
US9584550B2 (en) | Exploit detection based on heap spray detection | |
US11880465B2 (en) | Analyzing multiple CPU architecture malware samples |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AS | Assignment |
Owner name: PALO ALTO NETWORKS, INC., CALIFORNIA Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNORS:LU, CHIENHUA;QU, BO;REEL/FRAME:033806/0318 Effective date: 20140902 |
|
STCF | Information on status: patent grant |
Free format text: PATENTED CASE |
|
MAFP | Maintenance fee payment |
Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY Year of fee payment: 4 |